Project

General

Profile

Actions

action #104164

closed

The openSUSE package perl-App-cpanminus was suggested for removal but we rely on it within openQA size:M

Added by okurz almost 3 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Organisational
Target version:
Start date:
2021-12-19
Due date:
2022-02-11
% Done:

0%

Estimated time:

Description

Motivation

https://build.opensuse.org/request/show/940824 suggests to remove the package https://build.opensuse.org/package/show/openSUSE:Factory/perl-App-cpanminus with reasoning

Unsafe and no release since 2018
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/

We use that e.g. in https://github.com/os-autoinst/openQA/search?q=cpanm in container/openqa/entrypoint.sh, tools/run-tests-within-container, dist/rpm/openQA.spec, etc. Also in os-autoinst scope https://github.com/search?q=org%3Aos-autoinst+perl-App-cpanminus.*&type=code , e.g. in https://github.com/os-autoinst/os-autoinst/blob/b4cc32462b7dc6ae196455325b8a4495d18bc62c/tools/container_run_ci and https://github.com/os-autoinst/os-autoinst-distri-openQA/blob/53747261a2e74bd4788b23e0b101a95ca962eabf/tests/install/openqa_webui.pm so we should look to assess the situation, find mitigations or suggest a way to have a fixed version of perl-App-cpanminus. As I see sufficient activity in https://github.com/miyagawa/cpanminus/commits/devel maybe we should switch the package to checkout from that branch instead of CPAN releases.

Acceptance criteria

  • AC1: openQA is not vulnerable to any of the mentioned CVEs
  • AC2: The package perl-App-cpanminus has not been removed from Factory (or we are using an alternative like curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org ...)
Actions #1

Updated by osukup almost 3 years ago

probably the best approach will be port patches from cpanminus repository to current package.

+- I found two relevant commits in repo

and then with new release update to new stable

Actions #2

Updated by osukup almost 3 years ago

  • Assignee set to osukup
Actions #3

Updated by kraih almost 3 years ago

I don't think we ever even used Module::Signature with cpanm. You're getting worked up about nothing.

Actions #4

Updated by kraih almost 3 years ago

But there are security best practices we should enforce, such as the use of a trusted mirror, and strict HTTPS connections. I don't think we do either at the moment.

Actions #5

Updated by kraih almost 3 years ago

The most trusted and generally very fast (CDN backed) mirror is https://cpan.metacpan.org. It's what the Mojolicious installation one-liners use (curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org -n Mojolicious). If the package was not in openSUSE anymore we could switch to curl. But of course installing via zypper would be slightly better for security.

Actions #6

Updated by kraih almost 3 years ago

I'll start by making a PR that fixes all current uses of cpanm to use the bare minimum security best practices. (Not assigning the ticket to me, but assume i'm on it...)

Actions #8

Updated by kraih almost 3 years ago

And merged. That means all our uses of cpanm are now through a trusted HTTPS mirror and reasonably secure.

Actions #9

Updated by tinita almost 3 years ago

I asked miyagawa here when a release is planned: https://github.com/miyagawa/cpanminus/pull/636#issuecomment-998678526

Actions #10

Updated by osukup almost 3 years ago

Upstream stopped releasing cpanminus on CPAN with version 1.7044 , git has tagged 1.9017 and devel version reports 1.9020

So I repacked perl-App-cpanminus with devel version - sr: https://build.opensuse.org/request/show/941820

Actions #11

Updated by tinita almost 3 years ago

I tried out the package from https://build.opensuse.org/request/show/941820

There are some differences to the current rpm package. Some cpanminus files are missing, and Menlo files are additional. not sure if this is how it should work:

% rpm -ql perl-App-cpanminus                                                                                                             [p5.26.3] 17:50:25
/usr/bin/cpanm
/usr/lib/perl5/vendor_perl/5.26.1/App
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus.pm
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus.pod
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus/Dependency.pm
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus/fatscript.pm
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus/script.pm
/usr/lib/perl5/vendor_perl/5.26.1/x86_64-linux-thread-multi
/usr/share/doc/packages/perl-App-cpanminus
/usr/share/doc/packages/perl-App-cpanminus/Changes
/usr/share/doc/packages/perl-App-cpanminus/README
/usr/share/licenses/perl-App-cpanminus
/usr/share/licenses/perl-App-cpanminus/LICENSE
/usr/share/man/man1/cpanm.1.gz
/usr/share/man/man3/App::cpanminus.3pm.gz
/usr/share/man/man3/App::cpanminus::fatscript.3pm.gz

% rpm -ql perl-App-cpanminus-1.9020-0.noarch.rpm                                                                                         [p5.26.3] 17:50:27
/usr/bin/cpanm
/usr/lib/perl5/vendor_perl/5.34.0/App
/usr/lib/perl5/vendor_perl/5.34.0/App/cpanminus
/usr/lib/perl5/vendor_perl/5.34.0/App/cpanminus.pm
/usr/lib/perl5/vendor_perl/5.34.0/App/cpanminus/script.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo
/usr/lib/perl5/vendor_perl/5.34.0/Menlo.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Builder
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Builder/Static.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/CLI
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/CLI/Compat.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Dependency.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index/MetaCPAN.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index/MetaDB.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index/Mirror.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Legacy.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Util.pm
/usr/share/doc/packages/perl-App-cpanminus
/usr/share/doc/packages/perl-App-cpanminus/Changes
/usr/share/doc/packages/perl-App-cpanminus/README.md
/usr/share/licenses/perl-App-cpanminus
/usr/share/licenses/perl-App-cpanminus/LICENSE
/usr/share/man/man1/cpanm.1.gz
/usr/share/man/man3/App::cpanminus.3pm.gz
/usr/share/man/man3/Menlo.3pm.gz
/usr/share/man/man3/Menlo::Builder::Static.3pm.gz
/usr/share/man/man3/Menlo::CLI::Compat.3pm.gz
/usr/share/man/man3/Menlo::Index::MetaCPAN.3pm.gz
/usr/share/man/man3/Menlo::Index::MetaDB.3pm.gz
/usr/share/man/man3/Menlo::Legacy.3pm.gz

We are still hoping that the author is replying to us about his release plans.

Actions #12

Updated by kraih almost 3 years ago

Spoke with upstream, a new App::cpanminus should be released soon and the --verify functionality will probably be deprecated completely.

Actions #13

Updated by kraih almost 3 years ago

  • Description updated (diff)
Actions #14

Updated by livdywan almost 3 years ago

  • Status changed from New to In Progress

I give in. I'm updating the status now

Actions #15

Updated by openqa_review almost 3 years ago

  • Due date set to 2022-01-12

Setting due date based on mean cycle time of SUSE QE Tools

Actions #16

Updated by osukup almost 3 years ago

tinita wrote:

I tried out the package from https://build.opensuse.org/request/show/941820

There are some differences to the current rpm package. Some cpanminus files are missing, and Menlo files are additional. not sure if this is how it should work:

% rpm -ql perl-App-cpanminus                                                                                                             [p5.26.3] 17:50:25
/usr/bin/cpanm
/usr/lib/perl5/vendor_perl/5.26.1/App
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus.pm
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus.pod
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus/Dependency.pm
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus/fatscript.pm
/usr/lib/perl5/vendor_perl/5.26.1/App/cpanminus/script.pm
/usr/lib/perl5/vendor_perl/5.26.1/x86_64-linux-thread-multi
/usr/share/doc/packages/perl-App-cpanminus
/usr/share/doc/packages/perl-App-cpanminus/Changes
/usr/share/doc/packages/perl-App-cpanminus/README
/usr/share/licenses/perl-App-cpanminus
/usr/share/licenses/perl-App-cpanminus/LICENSE
/usr/share/man/man1/cpanm.1.gz
/usr/share/man/man3/App::cpanminus.3pm.gz
/usr/share/man/man3/App::cpanminus::fatscript.3pm.gz

% rpm -ql perl-App-cpanminus-1.9020-0.noarch.rpm                                                                                         [p5.26.3] 17:50:27
/usr/bin/cpanm
/usr/lib/perl5/vendor_perl/5.34.0/App
/usr/lib/perl5/vendor_perl/5.34.0/App/cpanminus
/usr/lib/perl5/vendor_perl/5.34.0/App/cpanminus.pm
/usr/lib/perl5/vendor_perl/5.34.0/App/cpanminus/script.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo
/usr/lib/perl5/vendor_perl/5.34.0/Menlo.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Builder
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Builder/Static.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/CLI
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/CLI/Compat.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Dependency.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index/MetaCPAN.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index/MetaDB.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Index/Mirror.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Legacy.pm
/usr/lib/perl5/vendor_perl/5.34.0/Menlo/Util.pm
/usr/share/doc/packages/perl-App-cpanminus
/usr/share/doc/packages/perl-App-cpanminus/Changes
/usr/share/doc/packages/perl-App-cpanminus/README.md
/usr/share/licenses/perl-App-cpanminus
/usr/share/licenses/perl-App-cpanminus/LICENSE
/usr/share/man/man1/cpanm.1.gz
/usr/share/man/man3/App::cpanminus.3pm.gz
/usr/share/man/man3/Menlo.3pm.gz
/usr/share/man/man3/Menlo::Builder::Static.3pm.gz
/usr/share/man/man3/Menlo::CLI::Compat.3pm.gz
/usr/share/man/man3/Menlo::Index::MetaCPAN.3pm.gz
/usr/share/man/man3/Menlo::Index::MetaDB.3pm.gz
/usr/share/man/man3/Menlo::Legacy.3pm.gz

We are still hoping that the author is replying to us about his release plans.

current package is fatpack with everything in one file , on other hand new is normal perl package

Actions #17

Updated by livdywan over 2 years ago

  • Due date changed from 2022-01-12 to 2022-01-21

Acceptance criteria

  • AC1: openQA is not vulnerable to any of the mentioned CVEs
  • AC2: The package perl-App-cpanminus has not been removed from Factory (or we are using an alternative like curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org ...)

@osukup @sriedel So where are we at?

Actions #18

Updated by osukup over 2 years ago

cdywan wrote:

Acceptance criteria

  • AC1: openQA is not vulnerable to any of the mentioned CVEs
  • AC2: The package perl-App-cpanminus has not been removed from Factory (or we are using an alternative like curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org ...)

@osukup @sriedel So where are we at?

AC1: my SR solves this
AC2:

1) delete request was rejected/postponed
2) my SR to Factoryt repapackage devel version of cpanm ( as is used by upstream, which stopped publishing cpanm on CPAN )

Actions #19

Updated by osukup over 2 years ago

updated SR contains removal of checksum functions

Actions #20

Updated by livdywan over 2 years ago

osukup wrote:

updated SR contains removal of checksum functions

https://build.opensuse.org/request/show/947240 This?

Actions #21

Updated by osukup over 2 years ago

cdywan wrote:

osukup wrote:

updated SR contains removal of checksum functions

https://build.opensuse.org/request/show/947240 This?

ja :D

Actions #22

Updated by osukup over 2 years ago

  • Status changed from In Progress to Feedback

.. for next step it needs SR accepted and forwarded to Factory ( Then submitted to Leap)

Actions #23

Updated by tinita over 2 years ago

See:

So Miyagawa says the feature will be removed (PR 638).
Unfortunately there is still no release, but we could try to backport the patch to the current tarball, it seems simple enough.
But I also asked him again what the plans are.

I vote against https://build.opensuse.org/request/show/947240 , and there were several comments from me and others on this and the previous request https://build.opensuse.org/request/show/941820

current package is fatpack with everything in one file , on other hand new is normal perl package

That's not the only difference.

Actions #24

Updated by kraih over 2 years ago

tinita wrote:

See:

So Miyagawa says the feature will be removed (PR 638).
Unfortunately there is still no release, but we could try to backport the patch to the current tarball, it seems simple enough.
But I also asked him again what the plans are.

I vote against https://build.opensuse.org/request/show/947240 , and there were several comments from me and others on this and the previous request https://build.opensuse.org/request/show/941820

I'm with Tina on this.

Actions #25

Updated by tinita over 2 years ago

A new release was just made: https://metacpan.org/dist/App-cpanminus 1.7045

Actions #26

Updated by osukup over 2 years ago

  • Status changed from Feedback to In Progress

with new release thanks to @tinita --> on Friday 28.1 is excepted to be in devel project and created ticket to Factory

in middle of next week accepted into Factory and then we can create MR to Leap 15.3 with in +- 10 days released as Maint Update for leap

Actions #27

Updated by osukup over 2 years ago

  • Status changed from In Progress to Feedback
Actions #28

Updated by livdywan over 2 years ago

@osukup If we're waiting on something that'll happen in ~10 days I would think Feb 11 seems like a good due date, because by then we should be able to have this verified and resolved.

Actions #29

Updated by tinita over 2 years ago

  • Due date changed from 2022-01-21 to 2022-02-11
Actions #30

Updated by osukup over 2 years ago

SR to factory accepted

MR to Leap 15.3 https://build.opensuse.org/request/show/950151

Actions #31

Updated by livdywan over 2 years ago

osukup wrote:

SR to factory accepted

MR to Leap 15.3 https://build.opensuse.org/request/show/950151

I see a build issue unresolvable: nothing provides perl(aliased) for i586. Are you looking into it? Or is this expected?

Actions #32

Updated by osukup over 2 years ago

cdywan wrote:

osukup wrote:

SR to factory accepted

MR to Leap 15.3 https://build.opensuse.org/request/show/950151

I see a build issue unresolvable: nothing provides perl(aliased) for i586. Are you looking into it? Or is this expected?
i586 isnt supported :D

btw accepted as openSUSE:Maintenance:17366

Actions #33

Updated by livdywan over 2 years ago

  • Subject changed from The openSUSE package perl-App-cpanminus was suggested for removal but we rely on it within openQA to The openSUSE package perl-App-cpanminus was suggested for removal but we rely on it within openQA size:M
  • Status changed from Feedback to Resolved

Both ACs are fulfilled, the package no longer has the unwanted features and remains in factory

Actions

Also available in: Atom PDF