-
Notifications
You must be signed in to change notification settings - Fork 299
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: mention pushy_https
in the help of CPAN mirror
#330
Comments
It seems that CPAN 2.29 introduced this flag and Perl-5.36.0 upgraded CPAN module from 2.28 to 2.33
https://metacpan.org/release/ANDK/CPAN-2.29/view/lib/CPAN/FirstTime.pm
https://perldoc.perl.org/perldelta As indicated by our help doc, to configure CPAN, it must first create I've managed to bootstrap with our mirror site using the following command
Indeed.
What's your opinion on security implications that should be noted? It seems that CPAN itself does not give notes on security implications. |
The addition of I guess the content of security note should depend on "how much level a normal user can trust the integrity of TUNA mirror". I don't know the infrastructure of TUNA mirror very well so I don't have any specific opinion here... One thing is certain: anyone should not use http://mirrors.tuna.tsinghua.edu.cn/CPAN (https:// should be used instead). The URL in the help is already https anyway. |
It seems that cpan can check the gnupg signature, so as long as the public key is not from TUNA, and the user enables Maybe we could add a note before the help doc just like https://mirrors.tuna.tsinghua.edu.cn/help/fedora/ have done and tell the user to enable |
It seems non-trivial. For bootstrapping with
The user must bootstrap from cpan.org and install |
Perl-5.36.0 defaults to
pushy_https = 1
, and with this setting CPAN refuses to use any mirror configured inurllist
.I think we should add
o conf pushy_https 0
into the help. (Maybe we also need a note about the possible security implications with this setting?)The text was updated successfully, but these errors were encountered: