> on our move to Red Hat GNU/Linux we looked forward to handing off that responsibility to the package manager (rpm via yum/dnf)
> ... our monthly patch cycles would pick up security items without us having to monitor and manage these on our own
>> ... CPAN may not be the best for security reviews of modules (bliako)
Good catch! The OP has been a bit vague about their Security Requirements.
Package Manager and CPAN Security
Package Manager and CPAN Security seems to be a difficult topic. Some references:
Example: build perl v5.38 securely from source on Ubuntu
An example build and install of the latest perl v5.38.0 from source on my Ubuntu Linux VM using cpanm follows.
Do all steps below as non-root as a further precaution against accidentally mangling your system perl.
$ cd $HOME $ mkdir localperl $ cd localperl $ wget https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz $ sha256sum perl-5.38.0.tar.gz 213ef58089d2f2c972ea353517dc60ec3656f050dcc027666e118b508423e517 perl +-5.38.0.tar.gz # (eyeball this to verify it matches the value displayed at: # https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz.sha256.txt) $ tar -xzf perl-5.38.0.tar.gz $ cd perl-5.38.0 $ ./Configure -des -Dprefix=$HOME/localperl $ make 2>&1 | tee make.tmp $ make test 2>&1 | tee test.tmp $ make install 2>&1 | tee install.tmp $ type perl perl is /usr/bin/perl $ export PATH=$HOME/localperl/bin:$PATH $ type perl perl is $HOME/localperl/bin/perl $ perl -v This is perl 5, version 38, subversion 0 (v5.38.0) built for x86_64-li +nux ...
Next install cpanm using the cpan command:
$ cpan App::cpanminus 2>&1 | tee inst-cpanminus.tmp
to install the cpanm executable to the perl's bin path (e.g. ~/perl5/perlbrew/bin/cpanm). In my example, that would be: $HOME/localperl/bin/cpanm (note: I switched from $HOME/localperl/bin to $HOME/my/p5380/bin after this node was written to conveniently have multiple versions of perl simultaneously installed to my $HOME directory).
(Update: while using the cpan command (as above) seems best, see Building Perl and CPAN Modules Securely from Source for alternative ways to install cpanm)
Then install Module::Signature from CPAN using the cpanm command:
$ corelist Module::Signature Module::Signature was not in CORE (or so I think) $ corelist Digest::SHA Digest::SHA was first released with perl v5.9.3 $ cpanm --from https://www.cpan.org/ Module::Signature 2>&1 | tee Modu +leSignature.tmp --> Working on Module::Signature Fetching https://www.cpan.org/authors/id/A/AU/AUDREYT/Module-Signature +-0.88.tar.gz ... OK Configuring Module-Signature-0.87 ... OK ==> Found dependencies: IPC::Run --> Working on IPC::Run Fetching https://www.cpan.org/authors/id/T/TO/TODDR/IPC-Run-20220807.0 +.tar.gz ... OK Configuring IPC-Run-20220807.0 ... OK Building and testing IPC-Run-20220807.0 ... OK Successfully installed IPC-Run-20220807.0 Building and testing Module-Signature-0.87 ... OK Successfully installed Module-Signature-0.87 2 distributions installed
With that done, an example installing the CPAN Roman module more securely via cpanm's --verify option:
$ cpanm --from https://www.cpan.org/ --verify Roman 2>&1 | tee Roman.t +mp --> Working on Roman Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/Roman-1.24.tar.gz + ... OK Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/CHECKSUMS ... OK Configuring Roman-1.24 ... OK Building and testing Roman-1.24 ... OK Successfully installed Roman-1.24 1 distribution installed
Note that cpanm's --verify option verifies the integrity of distribution files retrieved from CPAN using CHECKSUMS file, and SIGNATURES file (if found in the distribution).
To uninstall Roman:
$ cpanm --uninstall Roman Roman contains the following files: $HOME/localperl/lib/site_perl/5.38.0/Roman.pm $HOME/localperl/man/man3/Roman.3 Are you sure you want to uninstall Roman? [y] y Unlink: $HOME/localperl/lib/site_perl/5.38.0/Roman.pm Unlink: $HOME/localperl/man/man3/Roman.3 Unlink: $HOME/localperl/lib/site_perl/5.38.0/x86_64-linux/auto/Roman/. +packlist Successfully uninstalled Roman
After installation, ensure your local perl is ahead of system perl in your path by updating your .profile adding at the end:
# Use my locally built perl 5.38.0 PATH="$HOME/localperl/bin:$PATH"
Update: see also Re^2: THREE new perl releases [Updated releases!] - build perl v5.38.2 from source
Building Perl from Source References
Package Manager References
See Also
Updated: Added "Example: build perl v5.38 securely from source on Ubuntu" section (thanks hippo for motivating me :). Added sha256sum check of perl-5.38.0.tar.gz. Added more references. Added Package Manager References section.
In reply to Re^7: Meaning of XS object version (Package Manager Security References - example building Perl securely from source)
by eyepopslikeamosquito
in thread Meaning of XS object version
by regalbraith
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |