add support for HTTPS repositories

[zmughal]

This adds support for HTTPS repositories since both HTTP::Tiny and
LWP::UserAgent can support the HTTPS protocol. This change adds to the
Alien::Base::ModuleBuild::Repository::HTTP repository class.

[zmughal]

I want to add HTTPS support so that I can convert Alien::GMP over to using Alien::Base.

[plicease]

I like it.

One thing that is problematic about SSL and Perl is that what sites are trusted is highly dependent on platform. Should we:

• support an option (off by default) for the Alien developer to turn off certificate checking
• that option via an environment variable for the user
• option for bundling our own CA certs.
• use something like Mozilla::CA optionally or by default

Most of these make security decisions on behalf of the user, which I am not crazy about, but there is a practicability about it, and it isn't any less secure than using an http/ftp Alien package which we already support.

[zmughal]

If we have an option to bundle CA certs, it seems to be a very similar situation to that of using Digest::SHA for checksums. It shouldn't be hard to implement, but is it worth it right now? I do like having that extra bit of security checks.

[plicease]

I think it is worth discussing because I think you'll see failures almost immediately. On OpenBSD they are very paranoid (from memory) and nothing is trusted.

[mohawk2]

This is a tricky one and I don't know what is the right answer. @jberger?

[jberger]

Do we actually test connecting to http:// connections? If not I don't think we would test real https:// either. I'm not saying we shouldn't but if we are not then why would we get failures?

[zmughal]

I suppose the subclasses of Alien::Base will get failures. At this point, I think we can address that when the time comes, right?

[plicease]

Yes, that is what I meant, any Alien::Foo that is connecting to https is going to fail. I am all for https support, but I think there should be some escape mechanism that makes it easy to get it to works without the user having to go in and patch Alien::Base, or figure out how to add the cert for their particular vendor. That is going to frustrate people, esp. when Alien::Foo isn't the thing they are probably interested in (they are of course more interested in Foo::XS or Foo::FFI).

[plicease]

Let's merge it (aye) I will try and see if I can get it to fail and make some hooks to make it easier to deal with if necessary.

[mohawk2]

Let's get the dev release/CPAN testers on this. Aye.

[plicease]

merged and released as 0.007_01.

[plicease]

It was looking good on cpan testers so I went ahead and released as 0.008.

I'd like to see some interfaces at some point for allowing integrators to troubleshoot and resolve ssl errors, but I didn't want to delay this feature unnecessarily. @zmughal when/if you have a dist that uses this feature, please let me know the details, I will try it on some of my VMs.

[zmughal]

@plicease, I have just uploaded Alien::GMP v0.0.6_01 which uses this feature.

[plicease]

@zmughal so I haven't (yet) been able to get it to die on a cert error on my collection of odd virtual platforms, which is good. Maybe the perl / lwp infrastructure is better and making sure it gets the appropriate certs than I thought it would be :)