Re^7: Meaning of XS object version (Package Manager Security References - example building Perl securely from source)

> on our move to Red Hat GNU/Linux we looked forward to handing off that responsibility to the package manager (rpm via yum/dnf)
> ... our monthly patch cycles would pick up security items without us having to monitor and manage these on our own
>> ... CPAN may not be the best for security reviews of modules (bliako)

Good catch! The OP has been a bit vague about their Security Requirements.

Package Manager and CPAN Security

Package Manager and CPAN Security seems to be a difficult topic. Some references:

cpan/cpanm integrity and authenticy checks concerns by hrcerq (Jul 2021) - my reply
SOLVED: Key Not Certified in CPAN by dorko (Feb 2022) - and this reply

CPAN clients exposed to sig-related vulnerabilities by hippo (Nov 2021)
Re^4: pod2html: link (L<...>) formatting code (timeloop) by kcott (Dec 2021) - see responses from choroba
Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums - Hackeriet blog
Addressing CPAN vulnerabilities related to checksums - blog by Neil Bowers

RPM Package Manager (wikipedia)
Linux package management with YUM and RPM
Web of trust (wikipedia)
Pretty Good Privacy including OpenPGP (wikipedia)
GNU Privacy Guard (wikipedia)
The GNU Privacy Guard (gnupg.org - GnuPG)
SHA-2 (wikipedia) - includes sha256 (used in the example below to check perl-5.38.0.tar.gz)

CPAN.pm Security
CPAN Security Group - a community effort for supporting and responding to security incidents on CPAN
Re: Software Bill of Materials (SBOM) in Perl and CPAN by sjn (Salve J. Nilsen, prodded by Tux to reply) (Sep 2024)

Crypt::OpenPGP
Module::Signature - adds cryptographic authentications to CPAN distributions, via the special SIGNATURE file
cpansign - CPAN signature management utility (part of Module::Signature)

cpanp install, gpg: Can't check signature: No public key by QM (2012) - response by mikegold10 (2023)

Example: build perl v5.38 securely from source on Ubuntu

An example build and install of the latest perl v5.38.0 from source on my Ubuntu Linux VM using cpanm follows.

Do all steps below as non-root as a further precaution against accidentally mangling your system perl.

$ cd $HOME
$ mkdir localperl
$ cd localperl

$ wget https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz
$ sha256sum perl-5.38.0.tar.gz
213ef58089d2f2c972ea353517dc60ec3656f050dcc027666e118b508423e517  perl
+-5.38.0.tar.gz
# (eyeball this to verify it matches the value displayed at:
#  https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz.sha256.txt)

$ tar -xzf perl-5.38.0.tar.gz
$ cd perl-5.38.0
$ ./Configure -des -Dprefix=$HOME/localperl
$ make 2>&1 | tee make.tmp
$ make test 2>&1 | tee test.tmp
$ make install 2>&1 | tee install.tmp
$ type perl
perl is /usr/bin/perl
$ export PATH=$HOME/localperl/bin:$PATH
$ type perl
perl is $HOME/localperl/bin/perl
$ perl -v
This is perl 5, version 38, subversion 0 (v5.38.0) built for x86_64-li
+nux
...
[download]

Next install cpanm using the cpan command:

$ cpan App::cpanminus 2>&1 | tee inst-cpanminus.tmp
[download]

to install the cpanm executable to the perl's bin path (e.g. ~/perl5/perlbrew/bin/cpanm). In my example, that would be: $HOME/localperl/bin/cpanm (note: I switched from $HOME/localperl/bin to $HOME/my/p5380/bin after this node was written to conveniently have multiple versions of perl simultaneously installed to my $HOME directory).

(Update: while using the cpan command (as above) seems best, see Building Perl and CPAN Modules Securely from Source for alternative ways to install cpanm)

Then install Module::Signature from CPAN using the cpanm command:

$ corelist Module::Signature
Module::Signature was not in CORE (or so I think)
$ corelist Digest::SHA
Digest::SHA was first released with perl v5.9.3

$ cpanm --from https://www.cpan.org/ Module::Signature 2>&1 | tee Modu
+leSignature.tmp
--> Working on Module::Signature
Fetching https://www.cpan.org/authors/id/A/AU/AUDREYT/Module-Signature
+-0.88.tar.gz ... OK
Configuring Module-Signature-0.87 ... OK
==> Found dependencies: IPC::Run
--> Working on IPC::Run
Fetching https://www.cpan.org/authors/id/T/TO/TODDR/IPC-Run-20220807.0
+.tar.gz ... OK
Configuring IPC-Run-20220807.0 ... OK
Building and testing IPC-Run-20220807.0 ... OK
Successfully installed IPC-Run-20220807.0
Building and testing Module-Signature-0.87 ... OK
Successfully installed Module-Signature-0.87
2 distributions installed
[download]

With that done, an example installing the CPAN Roman module more securely via cpanm's --verify option:

$ cpanm --from https://www.cpan.org/ --verify Roman 2>&1 | tee Roman.t
+mp
--> Working on Roman
Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/Roman-1.24.tar.gz
+ ... OK
Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/CHECKSUMS ... OK
Configuring Roman-1.24 ... OK
Building and testing Roman-1.24 ... OK
Successfully installed Roman-1.24
1 distribution installed
[download]

Note that cpanm's --verify option verifies the integrity of distribution files retrieved from CPAN using CHECKSUMS file, and SIGNATURES file (if found in the distribution).

To uninstall Roman:

$ cpanm --uninstall Roman
Roman contains the following files:

  $HOME/localperl/lib/site_perl/5.38.0/Roman.pm
  $HOME/localperl/man/man3/Roman.3

Are you sure you want to uninstall Roman? [y] y

Unlink: $HOME/localperl/lib/site_perl/5.38.0/Roman.pm
Unlink: $HOME/localperl/man/man3/Roman.3
Unlink: $HOME/localperl/lib/site_perl/5.38.0/x86_64-linux/auto/Roman/.
+packlist

Successfully uninstalled Roman
[download]

After installation, ensure your local perl is ahead of system perl in your path by updating your .profile adding at the end:

# Use my locally built perl 5.38.0
PATH="$HOME/localperl/bin:$PATH"
[download]

Building Perl from Source References

Perl Download (perl.org) - getting started quickly (notes the latest stable version)
CPAN Perl source code (cpan.org) - how to build/install perl from source (notes the latest stable version)
dev.perl.org - "News" link lists all Perl releases (e.g. perl-5.41.2 dev release which you can download from CPAN)

How to install CPAN modules (cpan.org)
A Guide to Installing Modules by tachyon (2001)
Simple Module Tutorial by tachyon (2001)
ExtUtils::MakeMaker::Tutorial
ExtUtils::MakeMaker
Dist::Zilla::Starter
Packaging with Makefile.PL (perlmaven)

cpan (cpan command)
Config (perl Configuration information - the Config module contains all the information that was available to the Configure program at Perl build time)
App::perlbrew (perlbrew command)
App::cpanminus (cpanm command)
CPANPLUS (cpanp command)
local::lib

Re: Promoting Text::CSV to base Perl? by Corion (2023)
Detecting failures easily/obviously with cpanm by hippo (2022) - this reply mentions handy cpanm --installdeps option
THREE new perl releases by Tux (2023) - multiple perl versions updated with important security updates
Re^2: THREE new perl releases [Updated releases!] - build perl v5.38.2 from source by me (2023)
Re: 5.40 released (perl new feature References) by me (2024)
Building Perl and CPAN Modules Securely from Source by me (2024)

How to CPAN dry run ? by mvanle (2024)
Upgrading Perl codebase of older Perl version by programmingzeal (2024) - see response from ikegami

Package Manager References

Software configuration management (wikipedia)
Package manager (wikipedia)
RPM Package Manager aka Red Hat Package Manager (wikipedia)
yum (software) (wikipedia)
Conda (package manager) (wikipedia)
CPAN (wikipedia)

What is the difference between cpan and cpanm? (SO) - cpanp is also mentioned

Add a tool to local conda channel by baxy77bax (2023)
perl script to conda package by jnarayan81 (2021)

See Also

Re: Replicate Perl setup (Building and Installing Perl References) - search for perlbrew
Re: Security techniques every programmer should know (Security References)

Updated: Added "Example: build perl v5.38 securely from source on Ubuntu" section (thanks hippo for motivating me :). Added sha256sum check of perl-5.38.0.tar.gz. Added more references. Added Package Manager References section.

Comment on Re^7: Meaning of XS object version (Package Manager Security References - example building Perl securely from source) Select or Download Code