|P is for Practical|
cpan/cpanm integrity and authenticy checks concernsby hrcerq (Scribe)
|on Jul 12, 2021 at 02:44 UTC||Need Help??|
hrcerq has asked for the wisdom of the Perl Monks concerning the following question:
Hello, friends of the Monastery.
I'm not (yet) making heavy use of cpan or cpanm tools, and I'm still getting used to them.
Until now, every module I needed I could obtain from operating system repositories. Naturally, these repositories aren't nearly as comprehensive as CPAN as whole, they offer just a small subset of it, so it's just a matter of time until I need to obtain something using cpan/cpanm.
Not that it's a difficult task, but I have some security-related concerns. I'll explain:
According to CPAN module docs:
According to cpanm utility docs:
A more security-aware developer might want to enable check_sigs flag on cpan or use --verify on cpanm, and install appropriate modules (for cpan), but how many will even consider this? Security is often complex by itself and when it's opt-in, it has a great chance of being overlooked. Not to mention there's not much to do if the module you need wasn't even signed to begin with.
Personally, I take it as a serious threat to CPAN ecosystem. Considering how many mirrors there are out there, I believe it's too much a surface attack to be covered without using crypto signatures. Without it, it might be very difficult to determine if some package on any of the mirrors wasn't tampered at some point in time.
I know this is a very long question, but I had to provide some context (so thank you if you got this far). So, here's my question: am I exaggerating, is there anything I'm not aware of? As I said, I'm not entirely familiar with cpan/cpanm, and I hope this community might provide some insight on this matter.
return on_success() or die;