Reviewing my first attempt to build perl securely from source on Linux (as non-root) today, I felt happy enough with the first part namely: 

$ cd $HOME
$ mkdir localperl
$ cd localperl

$ wget https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz
$ sha256sum perl-5.38.0.tar.gz
213ef58089d2f2c972ea353517dc60ec3656f050dcc027666e118b508423e517  perl
+-5.38.0.tar.gz
# (eyeball this to verify it matches the value displayed at:
#  https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz.sha256.txt)

$ tar -xzf perl-5.38.0.tar.gz
$ cd perl-5.38.0
$ ./Configure -des -Dprefix=$HOME/localperl
$ make 2>&1 | tee make.tmp
$ make test 2>&1 | tee test.tmp
$ make install 2>&1 | tee install.tmp
$ type perl
perl is /usr/bin/perl
$ export PATH=$HOME/localperl/bin:$PATH
$ type perl
perl is $HOME/localperl/bin/perl
$ perl -v
This is perl 5, version 38, subversion 0 (v5.38.0) built for x86_64-li
+nux
...

[download]

At least that looks safe enough to me.

I was also happy enough with the last part, namely installing CPAN modules more securely via cpanm's --verify option, which verifies the integrity of distribution files retrieved from CPAN using CHECKSUMS file and SIGNATURES file (if found in the distribution).

Now here comes the bit I seek advice on, namely the best/most secure way to install cpanm itself. Please note that I have very limited knowledge of cpanm and how it works.

In my first attempt, I simply installed cpanm via the cpan command: 

$ cpan App::cpanminus 2>&1 | tee inst-cpanminus.tmp

[download]

Wondering if there's a better/more secure way to install cpanm, I browsed the App::cpanminus doco today, which advises you to install it via: 

curl -L https://cpanmin.us | perl - App::cpanminus

[download]

Now I don't understand exactly how that command works. Nor do I understand the security implications of installing it like this compared to my original installation of cpanm (and Module::Signature) via the cpan command. Hence this question.

General tips/advice on good ways to securely install Perl and CPAN modules from source as a non-root user welcome. 

👁️🍾👍🦟

In reply to Building Perl and CPAN Modules Securely from Source by eyepopslikeamosquito

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.