comment on

Hello, friends of the Monastery.

I'm not (yet) making heavy use of cpan or cpanm tools, and I'm still getting used to them.

Until now, every module I needed I could obtain from operating system repositories. Naturally, these repositories aren't nearly as comprehensive as CPAN as whole, they offer just a small subset of it, so it's just a matter of time until I need to obtain something using cpan/cpanm.

Not that it's a difficult task, but I have some security-related concerns. I'll explain:

According to CPAN module docs:

CPAN supports digital signatures;
however, these are not enforced on new modules;
beyond that, signature checks are disabled by default;
also, for it to be enabled, additional modules are needed (Module::Signature, specifically, and maybe Crypto::OpenPGP, if the gpg program is not available);
and finally, access to the keyservers is expected.

According to cpanm utility docs:

the --verify flag may be used to perform integrity and authenticity checks if checksum and signature files are available;
what happens if these files are not available is not clear (is the installation process aborted?);
again, this option is disabled by default.

A more security-aware developer might want to enable check_sigs flag on cpan or use --verify on cpanm, and install appropriate modules (for cpan), but how many will even consider this? Security is often complex by itself and when it's opt-in, it has a great chance of being overlooked. Not to mention there's not much to do if the module you need wasn't even signed to begin with.

Personally, I take it as a serious threat to CPAN ecosystem. Considering how many mirrors there are out there, I believe it's too much a surface attack to be covered without using crypto signatures. Without it, it might be very difficult to determine if some package on any of the mirrors wasn't tampered at some point in time.

I know this is a very long question, but I had to provide some context (so thank you if you got this far). So, here's my question: am I exaggerating, is there anything I'm not aware of? As I said, I'm not entirely familiar with cpan/cpanm, and I hope this community might provide some insight on this matter.

return on_success() or die;

In reply to cpan/cpanm integrity and authenticy checks concerns by hrcerq

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.