hrcerq has asked for the wisdom of the Perl Monks concerning the following question:
Hello, friends of the Monastery.
I'm not (yet) making heavy use of cpan or cpanm tools, and I'm still getting used to them.
Until now, every module I needed I could obtain from operating system repositories. Naturally, these repositories aren't nearly as comprehensive as CPAN as whole, they offer just a small subset of it, so it's just a matter of time until I need to obtain something using cpan/cpanm.
Not that it's a difficult task, but I have some security-related concerns. I'll explain:
According to CPAN module docs:
- CPAN supports digital signatures;
- however, these are not enforced on new modules;
- beyond that, signature checks are disabled by default;
- also, for it to be enabled, additional modules are needed (Module::Signature, specifically, and maybe Crypto::OpenPGP, if the gpg program is not available);
- and finally, access to the keyservers is expected.
According to cpanm utility docs:
- the --verify flag may be used to perform integrity and authenticity checks if checksum and signature files are available;
- what happens if these files are not available is not clear (is the installation process aborted?);
- again, this option is disabled by default.
A more security-aware developer might want to enable check_sigs flag on cpan or use --verify on cpanm, and install appropriate modules (for cpan), but how many will even consider this? Security is often complex by itself and when it's opt-in, it has a great chance of being overlooked. Not to mention there's not much to do if the module you need wasn't even signed to begin with.
Personally, I take it as a serious threat to CPAN ecosystem. Considering how many mirrors there are out there, I believe it's too much a surface attack to be covered without using crypto signatures. Without it, it might be very difficult to determine if some package on any of the mirrors wasn't tampered at some point in time.
I know this is a very long question, but I had to provide some context (so thank you if you got this far). So, here's my question: am I exaggerating, is there anything I'm not aware of? As I said, I'm not entirely familiar with cpan/cpanm, and I hope this community might provide some insight on this matter.
return on_success() or die;
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: cpan/cpanm integrity and authenticy checks concerns
by Anonymous Monk on Jul 12, 2021 at 07:01 UTC | |
by hrcerq (Scribe) on Jul 12, 2021 at 23:37 UTC | |
by eyepopslikeamosquito (Archbishop) on Jul 13, 2021 at 02:18 UTC | |
by Anonymous Monk on Jul 14, 2021 at 16:31 UTC | |
by Anonymous Monk on Jul 14, 2021 at 19:31 UTC | |
by hrcerq (Scribe) on Jul 15, 2021 at 00:49 UTC |