Re^5: Meaning of XS object version

Replies are listed 'Best First'.
Re^6: Meaning of XS object version by bliako (Abbot) on Jul 20, 2023 at 13:10 UTC
I think the question you should be asking is: `How do I manage my non-OS perl installation (via perlbrew for example) with as little manual intervention as possible, as if I was updating it via my package manager?` Edit: Sorry I missed this: `After all our monthly patch cycles would pick up security items withou +t us having to monitor and manage these on our own.` [download] CPAN may not be the best for security reviews of modules. bw, bliako	[reply] [d/l] [select]
Re^7: Meaning of XS object version (Package Manager Security References - example building Perl securely from source) by eyepopslikeamosquito (Archbishop) on Jul 23, 2023 at 00:48 UTC
> on our move to Red Hat GNU/Linux we looked forward to handing off that responsibility to the package manager (rpm via yum/dnf) > ... our monthly patch cycles would pick up security items without us having to monitor and manage these on our own >> ... CPAN may not be the best for security reviews of modules (bliako) Good catch! The OP has been a bit vague about their Security Requirements. Package Manager and CPAN Security Package Manager and CPAN Security seems to be a difficult topic. Some references: cpan/cpanm integrity and authenticy checks concerns by hrcerq (Jul 2021) - my reply SOLVED: Key Not Certified in CPAN by dorko (Feb 2022) - and this reply CPAN clients exposed to sig-related vulnerabilities by hippo (Nov 2021) Re^4: pod2html: link (L<...>) formatting code (timeloop) by kcott (Dec 2021) - see responses from choroba Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums - Hackeriet blog Addressing CPAN vulnerabilities related to checksums - blog by Neil Bowers package managers still vulnerable: how to protect your systems (2009) Attacks on package managers (2009) RPM Package Manager (wikipedia) Linux package management with YUM and RPM Web of trust (wikipedia) Pretty Good Privacy including OpenPGP (wikipedia) GNU Privacy Guard (wikipedia) The GNU Privacy Guard (gnupg.org - GnuPG) SHA-2 (wikipedia) - includes `sha256` (used in the example below to check `perl-5.38.0.tar.gz`) CPAN.pm Security CPAN Security Group - a community effort for supporting and responding to security incidents on CPAN Re: Software Bill of Materials (SBOM) in Perl and CPAN by sjn (Salve J. Nilsen, prodded by Tux to reply) (Sep 2024) Crypt::OpenPGP Module::Signature - adds cryptographic authentications to CPAN distributions, via the special `SIGNATURE` file cpansign - CPAN signature management utility (part of Module::Signature) cpanp install, gpg: Can't check signature: No public key by QM (2012) - response by mikegold10 (2023) Example: build perl v5.38 securely from source on Ubuntu An example build and install of the latest `perl v5.38.0` from source on my Ubuntu Linux VM using `cpanm` follows. Do all steps below as non-root as a further precaution against accidentally mangling your system perl. $ cd $HOME $ mkdir localperl $ cd localperl $ wget https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz $ sha256sum perl-5.38.0.tar.gz 213ef58089d2f2c972ea353517dc60ec3656f050dcc027666e118b508423e517 perl +-5.38.0.tar.gz # (eyeball this to verify it matches the value displayed at: # https://www.cpan.org/src/5.0/perl-5.38.0.tar.gz.sha256.txt) $ tar -xzf perl-5.38.0.tar.gz $ cd perl-5.38.0 $ ./Configure -des -Dprefix=$HOME/localperl $ make 2>&1 \| tee make.tmp $ make test 2>&1 \| tee test.tmp $ make install 2>&1 \| tee install.tmp $ type perl perl is /usr/bin/perl $ export PATH=$HOME/localperl/bin:$PATH $ type perl perl is $HOME/localperl/bin/perl $ perl -v This is perl 5, version 38, subversion 0 (v5.38.0) built for x86_64-li +nux ... [download] Next install `cpanm` using the `cpan` command: `$ cpan App::cpanminus 2>&1 \| tee inst-cpanminus.tmp` [download] to install the `cpanm` executable to the perl's bin path (e.g. `~/perl5/perlbrew/bin/cpanm`). In my example, that would be: `$HOME/localperl/bin/cpanm` (note: I switched from `$HOME/localperl/bin` to `$HOME/my/p5380/bin` after this node was written to conveniently have multiple versions of perl simultaneously installed to my `$HOME` directory). (Update: while using the `cpan` command (as above) seems best, see Building Perl and CPAN Modules Securely from Source for alternative ways to install `cpanm`) Then install Module::Signature from CPAN using the `cpanm` command: $ corelist Module::Signature Module::Signature was not in CORE (or so I think) $ corelist Digest::SHA Digest::SHA was first released with perl v5.9.3 $ cpanm --from https://www.cpan.org/ Module::Signature 2>&1 \| tee Modu +leSignature.tmp --> Working on Module::Signature Fetching https://www.cpan.org/authors/id/A/AU/AUDREYT/Module-Signature +-0.88.tar.gz ... OK Configuring Module-Signature-0.87 ... OK ==> Found dependencies: IPC::Run --> Working on IPC::Run Fetching https://www.cpan.org/authors/id/T/TO/TODDR/IPC-Run-20220807.0 +.tar.gz ... OK Configuring IPC-Run-20220807.0 ... OK Building and testing IPC-Run-20220807.0 ... OK Successfully installed IPC-Run-20220807.0 Building and testing Module-Signature-0.87 ... OK Successfully installed Module-Signature-0.87 2 distributions installed [download] With that done, an example installing the CPAN Roman module more securely via cpanm's `--verify` option: `$ cpanm --from https://www.cpan.org/ --verify Roman 2>&1 \| tee Roman.t +mp --> Working on Roman Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/Roman-1.24.tar.gz + ... OK Fetching https://www.cpan.org/authors/id/C/CH/CHORNY/CHECKSUMS ... OK Configuring Roman-1.24 ... OK Building and testing Roman-1.24 ... OK Successfully installed Roman-1.24 1 distribution installed` [download] Note that cpanm's `--verify` option verifies the integrity of distribution files retrieved from CPAN using `CHECKSUMS` file, and `SIGNATURES` file (if found in the distribution). To uninstall Roman: `$ cpanm --uninstall Roman Roman contains the following files: $HOME/localperl/lib/site_perl/5.38.0/Roman.pm $HOME/localperl/man/man3/Roman.3 Are you sure you want to uninstall Roman? [y] y Unlink: $HOME/localperl/lib/site_perl/5.38.0/Roman.pm Unlink: $HOME/localperl/man/man3/Roman.3 Unlink: $HOME/localperl/lib/site_perl/5.38.0/x86_64-linux/auto/Roman/. +packlist Successfully uninstalled Roman` [download] After installation, ensure your local perl is ahead of system perl in your path by updating your `.profile` adding at the end: `# Use my locally built perl 5.38.0 PATH="$HOME/localperl/bin:$PATH"` [download] Update: see also Re^2: THREE new perl releases [Updated releases!] - build perl v5.38.2 from source Building Perl from Source References Perl Download (perl.org) - getting started quickly (notes the latest stable version) CPAN Perl source code (cpan.org) - how to build/install perl from source (notes the latest stable version) dev.perl.org - "News" link lists all Perl releases (e.g. perl-5.41.2 dev release which you can download from CPAN) How to install CPAN modules (cpan.org) A Guide to Installing Modules by tachyon (2001) Simple Module Tutorial by tachyon (2001) ExtUtils::MakeMaker::Tutorial ExtUtils::MakeMaker Dist::Zilla::Starter Packaging with Makefile.PL (perlmaven) cpan (`cpan` command) Config (`perl` Configuration information - the Config module contains all the information that was available to the `Configure` program at Perl build time) App::perlbrew (`perlbrew` command) App::cpanminus (`cpanm` command) CPANPLUS (`cpanp` command) local::lib Re: Promoting Text::CSV to base Perl? by Corion (2023) Detecting failures easily/obviously with cpanm by hippo (2022) - this reply mentions handy `cpanm --installdeps` option THREE new perl releases by Tux (2023) - multiple perl versions updated with important security updates Re^2: THREE new perl releases [Updated releases!] - build perl v5.38.2 from source by me (2023) Re: 5.40 released (perl new feature References) by me (2024) Building Perl and CPAN Modules Securely from Source by me (2024) How to CPAN dry run ? by mvanle (2024) Upgrading Perl codebase of older Perl version by programmingzeal (2024) - see response from ikegami Package Manager References Software configuration management (wikipedia) Package manager (wikipedia) RPM Package Manager aka Red Hat Package Manager (wikipedia) yum (software) (wikipedia) Conda (package manager) (wikipedia) CPAN (wikipedia) What is the difference between cpan and cpanm? (SO) - `cpanp` is also mentioned Add a tool to local conda channel by baxy77bax (2023) perl script to conda package by jnarayan81 (2021) See Also Re: Replicate Perl setup (Building and Installing Perl References) - search for `perlbrew` Re: Security techniques every programmer should know (Security References) Updated: Added "Example: build perl v5.38 securely from source on Ubuntu" section (thanks hippo for motivating me :). Added `sha256sum` check of `perl-5.38.0.tar.gz`. Added more references. Added Package Manager References section.	[reply] [d/l] [select]
Re^6: Meaning of XS object version by eyepopslikeamosquito (Archbishop) on Jul 20, 2023 at 12:22 UTC
> As a development team we managed our own Perl on AIX/Unix. Upon our move to Red Hat GNU/Linux... Can you give us more background about your development team? Knowing that helps us provide more appropriate advice. Is this a team of system administrators or software developers or both? What programming language/s and tools does your team use? Is it an inhouse development team ... or does it provide services to external clients? Any Perl programmers in the team? :)	[reply]