Skip to content

community/perl-app-cpanminus: upgrade to 1.7046, switch to HTTPS mirrors, and fix compatibility with Busybox wget

rubicon requested to merge rubicon/aports:cpanminus-fix into master

In order to effectively mitigate CVE-2020-16154 (App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass), we have to use HTTPS mirrors.

Upstream does not do so by default probably because of dependency issues (cpanminus is meant to run with only modules that come bundled in with core Perl and also supports older versions of Perl, which complicate enabling HTTPS by default).

However, even without HTTPS, our cpanminus package is not working properly.

According to the manpage, "cpanm tries LWP, Wget, cURL and HTTP::Tiny (in that order) and uses the first one available", and "versions of Wget older than 1.9 don't support the "--retry-connrefused" option used by cpanm".

Busybox wget doesn't support "--retry-connrefused" as well, but apkbuild-cpan depends on perl-libwww (LWP), so for package maintainers that have apkbuild-cpan installed, according to the order specified in the manpage, cpanm succeeds with LWP, and the error from Busybox wget regarding "unrecognized option: retry-connrefused" is never encountered (you will see this error if you do not have perl-libwww, as cpanm does not check if your wget is of the GNU or Busybox variety).

To enable HTTPS support, perl-app-cpanminus would need to depend on GNU wget or perl-lwp-protocol-https (edit: since Busybox wget already supports "--user-agent", and I don't see the reason for "--retry-connrefused" (this behavior isn't enabled when using the curl or HTTP::Tiny backends), I decided to just patch that out, so now the extra depends cpanminus needs are just ssl_client and ca-certificates-bundle, to get HTTPS support for Busybox wget). The default mirrors also need to be patched in both the cpanm executable and fatscript.pm.

However, cpanm is actually a Perl::Strip-"minified" version of fatscript.pm, and to duplicate that process is nontrivial, as it requires building from a different source URL (the author's Github, instead of MetaCPAN), and also has build time dependencies that are not in Alpine repos (App::FatPacker and Perl::Strip).

I briefly referred to how Debian packages cpanminus, and it seems they are not using the "minified" cpanm or the "fatpacked" fatscript.pm (these are all the MetaCPAN package provides, so Debian is probably not using that).

Their approach has the effect of needing more runtime dependencies (among them are CPAN::DistnameInfo, Module::CPANfile, Parse::PMFile, and local::lib that I couldn't find in Alpine repos; all these are included ("fatpacked") into fatscript.pm). As new packages need to be added to testing/ first, and packages in community/ are not allowed to depend on testing/, we most likely can't take this approach.

Therefore, I have taken the approach of replacing the "minified" cpanm executable with one that utilizes the patched fatscript.pm. (I tried building cpanm without "minifying" it, and that resulted in a cpanm executable that was identical to fatscript.pm, except for the package declaration being changed into a shebang).

This approach has the advantage of not adding any runtime dependencies (they are all still "fatpacked" into fatscript.pm) or build time dependencies (needed if we want to re-"minify" cpanm).

If we don't replace cpanm, we could try to patch it in its "minified" form, but I don't find this option very attractive.

Edited by rubicon

Merge request reports

Loading