perl: CVE-2023-31486

Debian Bug report logs - #954089
perl: CVE-2023-31486

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@lease-up.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libplack-perl: Please verify server identity via SSL

Date: Mon, 16 Mar 2020 08:28:07 -0700

Package: libplack-perl
Severity: important

Dear maintainer,

Your package uses the Perl module HTTP::Tiny, but it does not force
the verify_SSL attribute to a true value.

By default, HTTP::Tiny does not validate the identity of server
certificates. The documentation states that "Server identity
verification is controversial and potentially tricky..." [1]

As late as 2015, upstream has been doubling up: "we're not going to be
responsible for the user's trust model" [2]

I believe, on the other hand, that the encryption of a transmission
has no value when talking to the wrong person. You can easily see
HTTP::Tiny's useless and dangerous default in Plack::LWPish by running
the script at the end of this message.

Will you please turn on the verify_SSL attribute in HTTP::Tiny?
Alternatively, please alert your users so they do not rely on standard
HTTPS security guarantees when using your module.

Kind regards
Felix Lechner

[1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT
[2] https://github.com/chansen/p5-http-tiny/issues/68

* * *

#!/usr/bin/perl

use HTTP::Request;
use Plack::LWPish;

my $request = HTTP::Request->new(GET => 'https://self-signed.badssl.com/');

my $ua = Plack::LWPish->new;
my $response = $ua->request($request); # returns HTTP::Response

if ($response->is_success) {
    print $response->decoded_content;

} else {
    print STDERR $response->status_line, "\n";
}

Message #10 received at 954089@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Felix Lechner <felix.lechner@lease-up.com>, 954089@bugs.debian.org

Cc: debian-perl@lists.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Mon, 16 Mar 2020 17:35:16 +0100

[Message part 1 (text/plain, inline)]

On Mon, 16 Mar 2020 08:28:07 -0700, Felix Lechner wrote:

> Package: libplack-perl
> Severity: important

(Taking a random instance of the identical mass bug filing.)
 
> Your package uses the Perl module HTTP::Tiny, but it does not force
> the verify_SSL attribute to a true value.

Thanks for raising this issue.

I'm wondering about 2 questions:
- Is is realistic to patch dozens of upstream files?
- Should the default be changed in HTTP::Tiny? (In src:perl and in
  libhttp-tiny-perl) In Debian (or better upstream though the latter
  might be difficult given the texts you quote.)
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Bettina Wegner: Waffenlos

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@lease-up.com>

To: gregor herrmann <gregoa@debian.org>

Cc: 954089@bugs.debian.org, Paul Wise <pabs@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Mon, 16 Mar 2020 09:56:36 -0700

Hi Gregor,

On Mon, Mar 16, 2020 at 9:35 AM gregor herrmann <gregoa@debian.org> wrote:
>
> (Taking a random instance of the identical mass bug filing.)

Many are very similar, but not all are identical.

> - Is is realistic to patch dozens of upstream files?
> - Should the default be changed in HTTP::Tiny? (In src:perl and in
>   libhttp-tiny-perl) In Debian (or better upstream though the latter
>   might be difficult given the texts you quote.)

I pursued that route originally (although not exhaustively).
HTTP::Tiny is apparently used in a lot of tests, which would have to
be modified. Also, the module ships as part of Perl core.

In October of last year, I raised the issue with Debian's security
team and received the following reply from Moritz Mühlenhoff, whom I
copied (to avoid talking about people not present). Paul Wise was also
party to the original exchange; he was likewise copied:

> It's not an acceptable default if one would create it from scratch today,
> but I can see their point wrt avoiding to change the default in retrospect
> on a widely installed base. Python made a similar change in 3.x which was
> backported to 2.7 with notable fallout.

> But that doesn't mean that we shouldn't review/change the setting
> as used by reverse dependencies in the archive, I suggest to file
> bugs with severity important for any reverse dependency of the module
> which doesn't have it enabled.

> The maintainers can then assess impact for their respective packages
> and adjust it for bullseye as they see fit (and add a NEWS for high
> profile cases.

As you can see, I am implementing a recommendation I received some
time ago from Debian's security team.

Sorry about all the filings. Another five may follow.

Kind regards
Felix Lechner

Message #18 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Felix Lechner <felix.lechner@lease-up.com>

Cc: gregor herrmann <gregoa@debian.org>, 954089@bugs.debian.org, Paul Wise <pabs@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Mon, 16 Mar 2020 19:29:37 +0200

-=| Felix Lechner, 16.03.2020 09:56:36 -0700 |=-
> > - Is is realistic to patch dozens of upstream files?
> > - Should the default be changed in HTTP::Tiny? (In src:perl and in
> >   libhttp-tiny-perl) In Debian (or better upstream though the latter
> >   might be difficult given the texts you quote.)
> 
> I pursued that route originally (although not exhaustively).

That was my first thought too.

> HTTP::Tiny is apparently used in a lot of tests, which would have to
> be modified. Also, the module ships as part of Perl core.

Failing tests are bad, meaning they need (trivial) work to be fixed. 
Not being secure by default is worse, IMO.

I guess it finally depends on the amount of patching needed. Any idea 
how many packages are we talking about? Any takers for an archive 
rebuild with patched perl/libhttp-tiny-perl?

-- dam

Message #23 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@lease-up.com>

To: Damyan Ivanov <dmn@debian.org>

Cc: gregor herrmann <gregoa@debian.org>, 954089@bugs.debian.org, Paul Wise <pabs@debian.org>, Moritz Muehlenhoff <jmm@debian.org>, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Mon, 16 Mar 2020 11:34:51 -0700

Hi Damyan,

On Mon, Mar 16, 2020 at 10:29 AM Damyan Ivanov <dmn@debian.org> wrote:
>
> Any idea how many packages are we talking about?

Below is my working list for filing bugs. It is based on a full text
search from codesearch.d.n.

My designations may not be entirely consistent, but in general 'good'
means that verify_SSL was turned on (or SSL_verify_mode was set in
SSL_options) while 'fpos' means it was a false positive that mentioned
HTTP::Tiny but did not use it.

As a side note, the POD for HTTP::Tiny is ambiguous whether to use
'verify_SSL' or 'SSL_verify'.

If we fix the issue on the consumer side, as suggested by the security
team, we should also include the consumers of many libraries on this
list, such as HTTP::Thin. Please see #954057 for details.

Kind regards
Felix Lechner

#954040 cpanminus
#954041 cpanoutdated
 [good] devscripts
#954042 inxi
 [fpos] libalien-gnuplot-perl
#954043 libcpan-common-index-perl
#954044 libcpan-perl-releases-perl
#954045 libcpanplus-perl
#954046 libcpan-sqlite-perl
 [http] libdancer2-perl
 [http] libdancer-perl
 [fpos] libdbix-class-schema-loader-perl
#954054 libdist-inkt-role-test-perl
 [fpos] libfile-slurp-perl
#954051 libgitlab-api-v4-perl
 [fpos] libhijk-perl
#954056 libhtml-html5-parser-perl
 [fpos] libhttp-lite-perl
#954057 libhttp-thin-perl
#954058 libhttp-tinyish-perl
libhttp-tiny-multipart-perl
libhttp-tiny-perl
 [????] libio-socket-ssl-perl
 [fpos] liblexical-accessor-perl
 [good] libmenlo-legacy-perl
#954059 libmenlo-perl
#954083 libmetacpan-client-perl
 [fpos] libmodule-corelist-perl
 [fpos] libmongodb-perl
 [test] libmoo-perl
#954084 libnanomsg-raw-perl
 [fpos] libnet-ssleay-perl
#954085 libpandoc-wrapper-perl
 [fpos] libparallel-forkmanager-perl
#954089 libplack-perl
 [good] libprotocol-acme-perl
librole-rest-client-perl
libsearch-elasticsearch-perl
libspreadsheet-readsxc-perl
libtask-kensho-perl
liburi-encode-perl
#954048 libwww-oauth-perl
 [fpos] libyahc-perl
 [good] ntp
 [fpos] percona-toolkit
perl
 [fpos] pinto
#954038 pkg-perl-tools
#954047 pmuninstall

Message #26 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Felix Lechner <felix.lechner@lease-up.com>

Cc: 954089@bugs.debian.org, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Wed, 18 Mar 2020 12:18:34 +0200

-=| Felix Lechner, 16.03.2020 11:34:51 -0700 |=-
> On Mon, Mar 16, 2020 at 10:29 AM Damyan Ivanov <dmn@debian.org> 
> wrote:
> >
> > Any idea how many packages are we talking about?
> 
> Below is my working list for filing bugs. It is based on a full text
> search from codesearch.d.n.
> …

I count 30 packages that need fixing (with filed bugs or not examined 
or marked with "htto").

These would be the packages to patch if we do the "fix the client" 
way.

I was also interested in the count of failing packages when the root 
(e.g. libhttp-tiny-perl/src:perl) is fixed instead.

Fixing the root of the problem seems better for me for two reasons:

 1) fix what is broken instead of working around it in numerous places
 2) consumers outside of Debian would benefit too

2) is true even if the root fix is not applied upstream, since 
I imagine many consumers of 3rd party Perl stuff still use Debian 
packages as a base.

Note that planting work-arounds in these 30 packages with Debian 
specific patches is not good enough in my book, and taking 30 patches 
upstream is not a trivial thing. Imagine having the conversation that 
was had with HTTP::Tiny's author with 30 other authors who have 
different opinions on what is the right thing to do. I'd rather have 
two packages with Debian-specific patch.

But to fully measure the impact, it would be nice to have the number 
of failing packages built with a patched HTTP::Tiny.

I guess my contribution to this would be trying to find that number 
out. (And certainly not patching 30 packages unless other approaches 
are determined inappropriate). I can't say how long that would take, 
so please anybody, feel free to beat me to it.

If we can prove that patching HTTP::Tiny plus several failing test in 
other modules is achievable, we may have a chance convincing 
HTTP::Tiny's author to flip the default (esp. if the patches for the 
failing tests are applied upstream) -- it is 5 years later after all, 
and https is everywhere.


-- Damyan

Message #31 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Felix Lechner <felix.lechner@lease-up.com>

To: Damyan Ivanov <dmn@debian.org>

Cc: 954089@bugs.debian.org, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Wed, 18 Mar 2020 04:05:22 -0700

Hi,

On Wed, Mar 18, 2020 at 3:18 AM Damyan Ivanov <dmn@debian.org> wrote:
>
> Fixing the root of the problem seems better for me for two reasons:

I wish I had checked with the Debian Perl team before filing the bugs.

> we may have a chance convincing
> HTTP::Tiny's author to flip the default

Please note the module is part of Perl core. Their support may be needed also.

Kind regards
Felix Lechner

Message #36 received at 954089@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Damyan Ivanov <dmn@debian.org>

Cc: Felix Lechner <felix.lechner@lease-up.com>, 954089@bugs.debian.org, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Wed, 18 Mar 2020 17:35:11 +0100

[Message part 1 (text/plain, inline)]

On Wed, 18 Mar 2020 12:18:34 +0200, Damyan Ivanov wrote:

> Fixing the root of the problem seems better for me for two reasons:
> 
>  1) fix what is broken instead of working around it in numerous places
>  2) consumers outside of Debian would benefit too

I agree, also with the rest of your mail. Thanks for moving this forward!
 
> But to fully measure the impact, it would be nice to have the number 
> of failing packages built with a patched HTTP::Tiny.

I have one small concern: As the change is about checking remote SSL
certs, and tests don't/can't/must not call out to the internet, is it
possible that we won't really catch all potential issues?
 

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Ostbahn-Kurti & Die Chefpartie: A Schritt Vire (Zwa Schritt Zruck)

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: Felix Lechner <felix.lechner@lease-up.com>, 954089@bugs.debian.org, Debian Perl Mailing List <debian-perl@lists.debian.org>

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Thu, 19 Mar 2020 14:39:13 +0200

-=| Felix Lechner, 18.03.2020 04:05:22 -0700 |=-
> Hi,
> 
> On Wed, Mar 18, 2020 at 3:18 AM Damyan Ivanov <dmn@debian.org> wrote:
> >
> > Fixing the root of the problem seems better for me for two reasons:
> 
> I wish I had checked with the Debian Perl team before filing the bugs.

That would have been nice, but there's no real harm done. The problem 
is real and needs to be reported and fixed one way or another. Thank 
you for caring.

> > we may have a chance convincing
> > HTTP::Tiny's author to flip the default
> 
> Please note the module is part of Perl core. Their support may be needed also.

Certainly.

-=| gregor herrmann, 18.03.2020 17:35:11 +0100 |=-
> On Wed, 18 Mar 2020 12:18:34 +0200, Damyan Ivanov wrote:
> 
> > Fixing the root of the problem seems better for me for two 
> > reasons:
> > 
> >  1) fix what is broken instead of working around it in numerous places
> >  2) consumers outside of Debian would benefit too
> 
> I agree, also with the rest of your mail. Thanks for moving this forward!
>  
> > But to fully measure the impact, it would be nice to have the number 
> > of failing packages built with a patched HTTP::Tiny.
> 
> I have one small concern: As the change is about checking remote SSL
> certs, and tests don't/can't/must not call out to the internet, is it
> possible that we won't really catch all potential issues?

Noted. The test rebuilds should be done without the usual isolation 
from the Internet.

I guess a closer inspection of the affected packages is needed.


-- dam

Message #44 received at 954089@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Fri, 15 May 2020 21:14:35 +0200

[Message part 1 (text/plain, inline)]

On Thu, 19 Mar 2020 14:39:13 +0200, Damyan Ivanov wrote:

> > > But to fully measure the impact, it would be nice to have the number 
> > > of failing packages built with a patched HTTP::Tiny.
> > I have one small concern: As the change is about checking remote SSL
> > certs, and tests don't/can't/must not call out to the internet, is it
> > possible that we won't really catch all potential issues?
> Noted. The test rebuilds should be done without the usual isolation 
> from the Internet.
> I guess a closer inspection of the affected packages is needed.

Hi Dam and all,

did you or anyone else get to look into this rebuild effort?

If not, Dom said that he could also try the rebuilds on
perl.debian.net.

Notes:
- HTTP::Tiny is in perl core and in libhttp-tiny-perl;
- The required change looks like a one-character-patch:
  lib/HTTP/Tiny.pm:        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
- The tests should be run with internet enabled as much as possible.


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Simon & Garfunkel: Blessed

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dmn@debian.org>

To: 954089@bugs.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Sun, 17 May 2020 18:39:34 +0300

-=| gregor herrmann, 15.05.2020 21:14:35 +0200 |=-
> On Thu, 19 Mar 2020 14:39:13 +0200, Damyan Ivanov wrote:
> 
> > > > But to fully measure the impact, it would be nice to have the number 
> > > > of failing packages built with a patched HTTP::Tiny.
> > > I have one small concern: As the change is about checking remote SSL
> > > certs, and tests don't/can't/must not call out to the internet, is it
> > > possible that we won't really catch all potential issues?
> > Noted. The test rebuilds should be done without the usual isolation 
> > from the Internet.
> > I guess a closer inspection of the affected packages is needed.
> 
> Hi Dam and all,
> 
> did you or anyone else get to look into this rebuild effort?

I haven't. I am still at the stage of "(re-)invent an easy way to 
rebuild a list of packages with a crafted chroot". I don't see this 
changing soon, so please Dom, anybody, feel free to take the job.

> If not, Dom said that he could also try the rebuilds on
> perl.debian.net.
> 
> Notes:
> - HTTP::Tiny is in perl core and in libhttp-tiny-perl;
> - The required change looks like a one-character-patch:
>   lib/HTTP/Tiny.pm:        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
> - The tests should be run with internet enabled as much as possible.

-- dam

Message #52 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Wed, 20 May 2020 23:02:20 +0100

Hello everyone, I just caught up with this. (Side note - please don't
assume I will see a message sent to a random pkg-perl bug report[1].)

On Sun, May 17, 2020 at 06:39:34PM +0300, Damyan Ivanov wrote:
> -=| gregor herrmann, 15.05.2020 21:14:35 +0200 |=-
> > On Thu, 19 Mar 2020 14:39:13 +0200, Damyan Ivanov wrote:
> > 
> > > > > But to fully measure the impact, it would be nice to have the number 
> > > > > of failing packages built with a patched HTTP::Tiny.
> > > > I have one small concern: As the change is about checking remote SSL
> > > > certs, and tests don't/can't/must not call out to the internet, is it
> > > > possible that we won't really catch all potential issues?
> > > Noted. The test rebuilds should be done without the usual isolation 
> > > from the Internet.
> > > I guess a closer inspection of the affected packages is needed.
> > 
> > Hi Dam and all,
> > 
> > did you or anyone else get to look into this rebuild effort?
> 
> I haven't. I am still at the stage of "(re-)invent an easy way to 
> rebuild a list of packages with a crafted chroot". I don't see this 
> changing soon, so please Dom, anybody, feel free to take the job.
> 
> > If not, Dom said that he could also try the rebuilds on
> > perl.debian.net.
> > 
> > Notes:
> > - HTTP::Tiny is in perl core and in libhttp-tiny-perl;
> > - The required change looks like a one-character-patch:
> >   lib/HTTP/Tiny.pm:        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
> > - The tests should be run with internet enabled as much as possible.

I am happy to do this, but I want to add a large caution: I do not
think that a clean bill of health from rebuild testing by itself
will allow us to draw any meaningful conclusions. It'd tell us that 
the unit tests were correctly disabling SSL verification in their test
suites, or their test suites don't test SSL-related functionality, or
their test suites (inappropriately) rely on external servers with
correct SSL setups.

But what's much more important here, surely, is what effect such a
change will have on our users in the real world, who will be using
this module to talk to the internet, and not to mention their own
internal services. I don't really see a way to know the scale of
breakage this will cause without trying it and seeing how much noise
there is from our (unstable) users.

Note that this is not a reason to avoid making the change. I just want
to make sure we're going into this with our eyes open.

Cheers
Dominic

[1] Side note to the side note: ugh, is the BTS setting Reply-To
to strip out other correspondents? I have subscribed to this bug
on the BTS so I will hopefully receive all mail to it in my inbox.

Message #57 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org

Cc: debian-perl@lists.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Sun, 24 May 2020 17:38:54 +0100

On Wed, May 20, 2020 at 11:02:20PM +0100, Dominic Hargreaves wrote:
> Hello everyone, I just caught up with this. (Side note - please don't
> assume I will see a message sent to a random pkg-perl bug report[1].)
> 
> On Sun, May 17, 2020 at 06:39:34PM +0300, Damyan Ivanov wrote:
> > -=| gregor herrmann, 15.05.2020 21:14:35 +0200 |=-
> > > On Thu, 19 Mar 2020 14:39:13 +0200, Damyan Ivanov wrote:
> > > 
> > > > > > But to fully measure the impact, it would be nice to have the number 
> > > > > > of failing packages built with a patched HTTP::Tiny.
> > > > > I have one small concern: As the change is about checking remote SSL
> > > > > certs, and tests don't/can't/must not call out to the internet, is it
> > > > > possible that we won't really catch all potential issues?
> > > > Noted. The test rebuilds should be done without the usual isolation 
> > > > from the Internet.
> > > > I guess a closer inspection of the affected packages is needed.
> > > 
> > > Hi Dam and all,
> > > 
> > > did you or anyone else get to look into this rebuild effort?
> > 
> > I haven't. I am still at the stage of "(re-)invent an easy way to 
> > rebuild a list of packages with a crafted chroot". I don't see this 
> > changing soon, so please Dom, anybody, feel free to take the job.
> > 
> > > If not, Dom said that he could also try the rebuilds on
> > > perl.debian.net.
> > > 
> > > Notes:
> > > - HTTP::Tiny is in perl core and in libhttp-tiny-perl;
> > > - The required change looks like a one-character-patch:
> > >   lib/HTTP/Tiny.pm:        verify_SSL   => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default
> > > - The tests should be run with internet enabled as much as possible.
> 
> I am happy to do this, but I want to add a large caution: I do not
> think that a clean bill of health from rebuild testing by itself
> will allow us to draw any meaningful conclusions. It'd tell us that 
> the unit tests were correctly disabling SSL verification in their test
> suites, or their test suites don't test SSL-related functionality, or
> their test suites (inappropriately) rely on external servers with
> correct SSL setups.
> 
> But what's much more important here, surely, is what effect such a
> change will have on our users in the real world, who will be using
> this module to talk to the internet, and not to mention their own
> internal services. I don't really see a way to know the scale of
> breakage this will cause without trying it and seeing how much noise
> there is from our (unstable) users.
> 
> Note that this is not a reason to avoid making the change. I just want
> to make sure we're going into this with our eyes open.

I rebuilt perl with the patch at [1] and rebuild perl dependencies
against it, and did not see any related failures [2].

NB: probably perl should grow a suggestion (at least) on
on libnet-ssleay-perl and libio-ssl-socket-perl which are required
to use HTTP::Tiny with https URLs.

So, what are people's thoughts? Do we want to take this position
and change the default in Debian? Extending distribution to debian-perl
for wider visibility.

Cheers
Dominic

[1] <https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92>
[2] <http://perl.debian.net/rebuild-logs/experimental/report.html>

Message #62 received at 954089@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Dominic Hargreaves <dom@earth.li>

Cc: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org, debian-perl@lists.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Sun, 24 May 2020 20:00:28 +0200

[Message part 1 (text/plain, inline)]

On Sun, 24 May 2020 17:38:54 +0100, Dominic Hargreaves wrote:

> I rebuilt perl with the patch at [1] and rebuild perl dependencies
> against it, and did not see any related failures [2].

Thanks alot!
 
> So, what are people's thoughts? Do we want to take this position
> and change the default in Debian? Extending distribution to debian-perl
> for wider visibility.

A tentative "yes" from me :)

Maybe we should seek communication with upstream in
https://github.com/chansen/p5-http-tiny/issues/68 (or a new issue
since that one is closed) as a next step?


Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   NP: Tom Waits: Warm Beer and Cold Women

[signature.asc (application/pgp-signature, inline)]

Message #67 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org, debian-perl@lists.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Sun, 7 Jun 2020 17:22:21 +0100

Control: reassign -1 src:perl
Control: retitle -1 perl: Default HTTP::Tiny to verifying SSL certificates

On Sun, May 24, 2020 at 08:00:28PM +0200, gregor herrmann wrote:
> On Sun, 24 May 2020 17:38:54 +0100, Dominic Hargreaves wrote:
> 
> > I rebuilt perl with the patch at [1] and rebuild perl dependencies
> > against it, and did not see any related failures [2].
> 
> Thanks alot!
>  
> > So, what are people's thoughts? Do we want to take this position
> > and change the default in Debian? Extending distribution to debian-perl
> > for wider visibility.
> 
> A tentative "yes" from me :)
> 
> Maybe we should seek communication with upstream in
> https://github.com/chansen/p5-http-tiny/issues/68 (or a new issue
> since that one is closed) as a next step?

I'll comment on the above issue (I don't think opening a new issue
to discuss an identical point, even if it is a while later, is friendly
to the project - and it makes the previous, relevant arguments, less
visible.)

Message #80 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Dominic Hargreaves <dom@earth.li>

To: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org, debian-perl@lists.debian.org, 962407@bugs.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Sun, 7 Jun 2020 17:45:41 +0100

Control: forwarded 954089 https://github.com/chansen/p5-http-tiny/issues/134
Control: forwarded 962407 https://github.com/chansen/p5-http-tiny/issues/134

On Sun, Jun 07, 2020 at 05:22:21PM +0100, Dominic Hargreaves wrote:
> Control: reassign -1 src:perl
> Control: retitle -1 perl: Default HTTP::Tiny to verifying SSL certificates
> 
> On Sun, May 24, 2020 at 08:00:28PM +0200, gregor herrmann wrote:
> > On Sun, 24 May 2020 17:38:54 +0100, Dominic Hargreaves wrote:
> > 
> > > I rebuilt perl with the patch at [1] and rebuild perl dependencies
> > > against it, and did not see any related failures [2].
> > 
> > Thanks alot!
> >  
> > > So, what are people's thoughts? Do we want to take this position
> > > and change the default in Debian? Extending distribution to debian-perl
> > > for wider visibility.
> > 
> > A tentative "yes" from me :)
> > 
> > Maybe we should seek communication with upstream in
> > https://github.com/chansen/p5-http-tiny/issues/68 (or a new issue
> > since that one is closed) as a next step?
> 
> I'll comment on the above issue (I don't think opening a new issue
> to discuss an identical point, even if it is a while later, is friendly
> to the project - and it makes the previous, relevant arguments, less
> visible.)

Correction, given the amount of time that's passed and that I'm not
even sure if the person who responded negatively on the previous
issue speaks for the current maintainers, I have opened a new issue:

https://github.com/chansen/p5-http-tiny/issues/134

Cheers
Dominic

Message #87 received at 954089@bugs.debian.org (full text, mbox, reply):

From: Dominique Dumont <dod@debian.org>

To: Dominic Hargreaves <dom@earth.li>, Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org, debian-perl@lists.debian.org

Subject: Re: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Sun, 07 Jun 2020 18:50:37 +0200

On Sunday, 24 May 2020 20:00:28 CEST gregor herrmann wrote:
> > So, what are people's thoughts? Do we want to take this position
> > and change the default in Debian? Extending distribution to debian-perl
> > for wider visibility.
> 
> A tentative "yes" from me :)

A more firm "yes" from me ;-)

> Maybe we should seek communication with upstream in
> https://github.com/chansen/p5-http-tiny/issues/68 (or a new issue
> since that one is closed) as a next step?

I do not really agree with the rationale of  https://github.com/chansen/p5-http-tiny/issues/68. Most people won't make an informed decision because they 
won't realize that TLS is disabled. The only way for people to make an 
informed decision is to exit on error when verify_ssl is not defined, which is 
not really user friendly ;-)

I think TLS should be verified by default, even more so in Debian because our 
list of trusted CA is regularly updated.

All the best

Message #94 received at 954089@bugs.debian.org (full text, mbox, reply):

From: gregor herrmann <gregoa@debian.org>

To: Dominic Hargreaves <dom@earth.li>, 962407@bugs.debian.org

Cc: Damyan Ivanov <dmn@debian.org>, 954089@bugs.debian.org, debian-perl@lists.debian.org

Subject: Re: Bug#962407: Bug#954089: libplack-perl: Please verify server identity via SSL

Date: Wed, 25 May 2022 22:24:09 +0200

[Message part 1 (text/plain, inline)]

On Sun, 07 Jun 2020 17:45:41 +0100, Dominic Hargreaves wrote:

> Correction, given the amount of time that's passed and that I'm not
> even sure if the person who responded negatively on the previous
> issue speaks for the current maintainers, I have opened a new issue:
> 
> https://github.com/chansen/p5-http-tiny/issues/134

Revisiting this issue now, the state seems to be:

The upstream ticket was closed with

"On reflection, we shouldn't make this change for backwards compatibility."

So I guess we are back to the point where we have to discuss if we
want to make the change on the Debian side and carry the patch (and
keep the pieces if something breaks).

I think we had a tendence to say "this change makes sense" and "it
doesn't look like huge breakage ahead" but I guess someone need to
pick up this issue and take a deeper look.

Cheers,
gregor

-- 
 .''`.  https://info.comodo.priv.at -- Debian Developer https://www.debian.org
 : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D  85FA BB3A 6801 8649 AA06
 `. `'  Member VIBE!AT & SPI Inc. -- Supporter Free Software Foundation Europe
   `-   

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.