community/perl-app-cpanminus: upgrade to 1.7046, switch to HTTPS mirrors, and fix compatibility with Busybox wget
In order to effectively mitigate CVE-2020-16154 (App::cpanminus package 1.7044 for Perl allows Signature Verification Bypass), we have to use HTTPS mirrors.
Upstream does not do so by default probably because of dependency issues (cpanminus is meant to run with only modules that come bundled in with core Perl and also supports older versions of Perl, which complicate enabling HTTPS by default).
However, even without HTTPS, our cpanminus package is not working properly.
According to the manpage, "cpanm tries LWP, Wget, cURL and HTTP::Tiny (in that order) and uses the first one available", and "versions of Wget older than 1.9 don't support the "--retry-connrefused" option used by cpanm".
Busybox wget doesn't support "--retry-connrefused" as well, but apkbuild-cpan
depends on perl-libwww
(LWP), so for package maintainers that have apkbuild-cpan
installed, according to the order specified in the manpage, cpanm succeeds with LWP, and the error from Busybox wget regarding "unrecognized option: retry-connrefused" is never encountered (you will see this error if you do not have perl-libwww
, as cpanm does not check if your wget is of the GNU or Busybox variety).
To enable HTTPS support, (edit: since Busybox wget already supports "--user-agent", and I don't see the reason for "--retry-connrefused" (this behavior isn't enabled when using the perl-app-cpanminus
would need to depend on GNU wget
or perl-lwp-protocol-https
curl
or HTTP::Tiny
backends), I decided to just patch that out, so now the extra depends cpanminus needs are just ssl_client
and ca-certificates-bundle
, to get HTTPS support for Busybox wget). The default mirrors also need to be patched in both the cpanm
executable and fatscript.pm
.
However, cpanm
is actually a Perl::Strip
-"minified" version of fatscript.pm
, and to duplicate that process is nontrivial, as it requires building from a different source URL (the author's Github, instead of MetaCPAN), and also has build time dependencies that are not in Alpine repos (App::FatPacker
and Perl::Strip
).
I briefly referred to how Debian packages cpanminus, and it seems they are not using the "minified" cpanm
or the "fatpacked" fatscript.pm
(these are all the MetaCPAN package provides, so Debian is probably not using that).
Their approach has the effect of needing more runtime dependencies (among them are CPAN::DistnameInfo
, Module::CPANfile
, Parse::PMFile
, and local::lib
that I couldn't find in Alpine repos; all these are included ("fatpacked") into fatscript.pm
). As new packages need to be added to testing/ first, and packages in community/ are not allowed to depend on testing/, we most likely can't take this approach.
Therefore, I have taken the approach of replacing the "minified" cpanm
executable with one that utilizes the patched fatscript.pm
. (I tried building cpanm
without "minifying" it, and that resulted in a cpanm
executable that was identical to fatscript.pm
, except for the package declaration being changed into a shebang).
This approach has the advantage of not adding any runtime dependencies (they are all still "fatpacked" into fatscript.pm
) or build time dependencies (needed if we want to re-"minify" cpanm
).
If we don't replace cpanm
, we could try to patch it in its "minified" form, but I don't find this option very attractive.