* Darren Duncan <darren@darrenduncan.net> [2022-06-16 07:58:18 -0700]:
> THIS IS A DUPLICATE RESPONSE. I HAD PREVIOUSLY SENT THE SAME THING UNDER AN
> ALTERED SUBJECT LINE. REPEATED TO KEEP IT TOGETHER WITH THE MAIN THREAD.
>
>
> I propose an alternate solution, summarized as bootstrapping.
>
> Perl bundles an implementation of HTTPS support including certs or whatever,
> so there is zero dependency on any HTTPS library or files being with the
> operating system.
The problem with this is one of expertise and available manpower. Which is
why I believe leveraging, if possible, what MAJOR distros already provide
might be the wiser option; again, if possible. This really has less to do
with *should* perl by default support SSL outside of distribution channel
support; I submit it does not. Not to mention SSL just makes things more
fragile no matter how you paint it, often for zero benefit.
>
> This bundled implementation is purposefully limited to only being able to
> invoke CPAN or similar, that is, it has an inclusion list which is limited
> to CPAN only, though users can add more to the inclusion list as a
> configuration if they have to, and connections to anything not on the list
> is refused.
I don't see how that'd be useful, frankly. This is just coming from my hat
as an application developer.
Now, when one builds perl from source on a platform (even if via perlbrew),
the build process subjects the system to a litany of "configure" checks. And
I think this is where the middle road may be. If, for example, a proper curl
or wget is available on the system, this would probably be sufficient to assume
some minimal support that is then useful for boot strapping. But if this is
not possible, skip anything related to SSL. This is already in place with the
necessary condition of there being gcc or autoconf (or dev/build tool stack)
available. No one is trying to figure out how to build perl fundamentally if
there is no proper C compiler available.
>
> All CPAN clients bundled with Perl are set to use this bundled HTTPS support
> instead of using HTTP.
>
> Anyone wanting to use HTTPS in Perl for any purpose other than getting stuff
> from CPAN has to download a regular traditional HTTPS support module from
> CPAN, and then they would use that as they always have. These can then rely
> on the system-provided HTTPS support and certs or whatever as they always
> have.
I find it to be a huge mistake to try to roll HTTPS support in isolation, and
the problems as mentioned before has to do with manpower. This is also not
a unique problem, as demonstrated with the fact that a C compiler (usually
gcc) is required to build perl from source at step 0.
>
> Given that the only thing the bundled HTTPS support has to do is talk to
> CPAN, it can be a lot more minimalist than a typical HTTPS support, not
> needing extra features than those cooperatively decided with the CPAN
> mirrors, and having no dependencies besides Perl itself.
>
> This bootstrapping would also prevent circular dependencies in the case of
> any traditional HTTPS tools using Perl to build or install themselves.
>
> I'm not advocating any specific HTTPS implementation to bundle a copy of,
> and I'm not suggesting building a new one from scratch (bad idea for
> security things), but we can pick some existing good implementation and
> strip it down either physically or by way of configuration, and keep the
> clone in some other namespace somehow so that its presence doesn't interfere
> with installing or using the regular version of the same tool.
>
> So do others agree or not that this is better?
I disagree for the reasons above. We should not be "rolling our own" here. Minimally
there should be a canary indicating "system supports SSL" checked during the
configuration check the predicates any source build.
For system supplied perl or perl installed via a package system (e.g., FreeBSD
provides a sliding window of perl version), then https support should also be
supported also through the package system.
What I don't know is, given a "curl" or "wget" that supports SSL present on the
system, but are the steps then the perl build could utilize to pull itself up
from ye old bootstraps.
Keep in mind, both curl and wget were greatly affected when letsencrypt yolo'd
(or didn't) this CA update; which really only revealed how fragile the whole
set up is, particularly when relying on a "free" CA provider that of course
everyone is going to use. I understand this has to do more with the system's CA
store, but again this just speaks more to how fragile the whole sham is rather
than how sound the potential to just using curl or wget would be.
If curl or wget is not installed? You get no https "out of the box" - just like
you get no perl if there is no gcc or working C compiler+dev tools.
Cheers,
Brett
>
> -- Darren Duncan
>
--
--
oodler@cpan.org
oodler577@sdf-eu.org
SDF-EU Public Access UNIX System -
http://sdfeu.org irc.perl.org #openmp #pdl #native