New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for HTTPS repositories #98

Merged
merged 1 commit into from Jan 12, 2015

Conversation

Projects
None yet
4 participants
@zmughal
Member

zmughal commented Jan 11, 2015

This adds support for HTTPS repositories since both HTTP::Tiny and
LWP::UserAgent can support the HTTPS protocol. This change adds to the
Alien::Base::ModuleBuild::Repository::HTTP repository class.

add support for HTTPS repositories
This adds support for HTTPS repositories since both `HTTP::Tiny` and
`LWP::UserAgent` can support the HTTPS protocol. This change adds to the
`Alien::Base::ModuleBuild::Repository::HTTP` repository class.
@zmughal

This comment has been minimized.

Show comment
Hide comment
@zmughal

zmughal Jan 11, 2015

Member

I want to add HTTPS support so that I can convert Alien::GMP over to using Alien::Base.

Member

zmughal commented Jan 11, 2015

I want to add HTTPS support so that I can convert Alien::GMP over to using Alien::Base.

zmughal added a commit to EntropyOrg/p5-Alien-GMP that referenced this pull request Jan 11, 2015

use HTTPS protocol
Requires Alien::Base to support HTTPS. A fix for that is given in the
Alien::Base PR <Perl5-Alien/Alien-Base#98>.
@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 11, 2015

Member

I like it.

One thing that is problematic about SSL and Perl is that what sites are trusted is highly dependent on platform. Should we:

  • support an option (off by default) for the Alien developer to turn off certificate checking
  • that option via an environment variable for the user
  • option for bundling our own CA certs.
  • use something like Mozilla::CA optionally or by default

Most of these make security decisions on behalf of the user, which I am not crazy about, but there is a practicability about it, and it isn't any less secure than using an http/ftp Alien package which we already support.

Member

plicease commented Jan 11, 2015

I like it.

One thing that is problematic about SSL and Perl is that what sites are trusted is highly dependent on platform. Should we:

  • support an option (off by default) for the Alien developer to turn off certificate checking
  • that option via an environment variable for the user
  • option for bundling our own CA certs.
  • use something like Mozilla::CA optionally or by default

Most of these make security decisions on behalf of the user, which I am not crazy about, but there is a practicability about it, and it isn't any less secure than using an http/ftp Alien package which we already support.

@zmughal

This comment has been minimized.

Show comment
Hide comment
@zmughal

zmughal Jan 11, 2015

Member

If we have an option to bundle CA certs, it seems to be a very similar situation to that of using Digest::SHA for checksums. It shouldn't be hard to implement, but is it worth it right now? I do like having that extra bit of security checks.

Member

zmughal commented Jan 11, 2015

If we have an option to bundle CA certs, it seems to be a very similar situation to that of using Digest::SHA for checksums. It shouldn't be hard to implement, but is it worth it right now? I do like having that extra bit of security checks.

@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 11, 2015

Member

I think it is worth discussing because I think you'll see failures almost immediately. On OpenBSD they are very paranoid (from memory) and nothing is trusted.

Member

plicease commented Jan 11, 2015

I think it is worth discussing because I think you'll see failures almost immediately. On OpenBSD they are very paranoid (from memory) and nothing is trusted.

@zmughal zmughal referenced this pull request Jan 11, 2015

Open

Release to CPAN #1

0 of 5 tasks complete
@mohawk2

This comment has been minimized.

Show comment
Hide comment
@mohawk2

mohawk2 Jan 11, 2015

Contributor

This is a tricky one and I don't know what is the right answer. @jberger?

Contributor

mohawk2 commented Jan 11, 2015

This is a tricky one and I don't know what is the right answer. @jberger?

@jberger

This comment has been minimized.

Show comment
Hide comment
@jberger

jberger Jan 12, 2015

Member

Do we actually test connecting to http:// connections? If not I don't think we would test real https:// either. I'm not saying we shouldn't but if we are not then why would we get failures?

Member

jberger commented Jan 12, 2015

Do we actually test connecting to http:// connections? If not I don't think we would test real https:// either. I'm not saying we shouldn't but if we are not then why would we get failures?

@zmughal

This comment has been minimized.

Show comment
Hide comment
@zmughal

zmughal Jan 12, 2015

Member

I suppose the subclasses of Alien::Base will get failures. At this point, I think we can address that when the time comes, right?

Member

zmughal commented Jan 12, 2015

I suppose the subclasses of Alien::Base will get failures. At this point, I think we can address that when the time comes, right?

@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 12, 2015

Member

Yes, that is what I meant, any Alien::Foo that is connecting to https is going to fail. I am all for https support, but I think there should be some escape mechanism that makes it easy to get it to works without the user having to go in and patch Alien::Base, or figure out how to add the cert for their particular vendor. That is going to frustrate people, esp. when Alien::Foo isn't the thing they are probably interested in (they are of course more interested in Foo::XS or Foo::FFI).

Member

plicease commented Jan 12, 2015

Yes, that is what I meant, any Alien::Foo that is connecting to https is going to fail. I am all for https support, but I think there should be some escape mechanism that makes it easy to get it to works without the user having to go in and patch Alien::Base, or figure out how to add the cert for their particular vendor. That is going to frustrate people, esp. when Alien::Foo isn't the thing they are probably interested in (they are of course more interested in Foo::XS or Foo::FFI).

@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 12, 2015

Member

Let's merge it (aye) I will try and see if I can get it to fail and make some hooks to make it easier to deal with if necessary.

Member

plicease commented Jan 12, 2015

Let's merge it (aye) I will try and see if I can get it to fail and make some hooks to make it easier to deal with if necessary.

@mohawk2

This comment has been minimized.

Show comment
Hide comment
@mohawk2

mohawk2 Jan 12, 2015

Contributor

Let's get the dev release/CPAN testers on this. Aye.

Contributor

mohawk2 commented Jan 12, 2015

Let's get the dev release/CPAN testers on this. Aye.

@plicease plicease merged commit 3a461e9 into Perl5-Alien:master Jan 12, 2015

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 12, 2015

Member

merged and released as 0.007_01.

Member

plicease commented Jan 12, 2015

merged and released as 0.007_01.

@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 16, 2015

Member

It was looking good on cpan testers so I went ahead and released as 0.008.

I'd like to see some interfaces at some point for allowing integrators to troubleshoot and resolve ssl errors, but I didn't want to delay this feature unnecessarily. @zmughal when/if you have a dist that uses this feature, please let me know the details, I will try it on some of my VMs.

Member

plicease commented Jan 16, 2015

It was looking good on cpan testers so I went ahead and released as 0.008.

I'd like to see some interfaces at some point for allowing integrators to troubleshoot and resolve ssl errors, but I didn't want to delay this feature unnecessarily. @zmughal when/if you have a dist that uses this feature, please let me know the details, I will try it on some of my VMs.

@zmughal

This comment has been minimized.

Show comment
Hide comment
@zmughal

zmughal Jan 18, 2015

Member

@plicease, I have just uploaded Alien::GMP v0.0.6_01 which uses this feature.

Member

zmughal commented Jan 18, 2015

@plicease, I have just uploaded Alien::GMP v0.0.6_01 which uses this feature.

@plicease

This comment has been minimized.

Show comment
Hide comment
@plicease

plicease Jan 22, 2015

Member

@zmughal so I haven't (yet) been able to get it to die on a cert error on my collection of odd virtual platforms, which is good. Maybe the perl / lwp infrastructure is better and making sure it gets the appropriate certs than I thought it would be :)

Member

plicease commented Jan 22, 2015

@zmughal so I haven't (yet) been able to get it to die on a cert error on my collection of odd virtual platforms, which is good. Maybe the perl / lwp infrastructure is better and making sure it gets the appropriate certs than I thought it would be :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment