Project

General

Profile

Actions

action #104164

closed

The openSUSE package perl-App-cpanminus was suggested for removal but we rely on it within openQA size:M

Added by okurz about 3 years ago. Updated almost 3 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Organisational
Target version:
Start date:
2021-12-19
Due date:
2022-02-11
% Done:

0%

Estimated time:

Description

Motivation

https://build.opensuse.org/request/show/940824 suggests to remove the package https://build.opensuse.org/package/show/openSUSE:Factory/perl-App-cpanminus with reasoning

Unsafe and no release since 2018
https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/

We use that e.g. in https://github.com/os-autoinst/openQA/search?q=cpanm in container/openqa/entrypoint.sh, tools/run-tests-within-container, dist/rpm/openQA.spec, etc. Also in os-autoinst scope https://github.com/search?q=org%3Aos-autoinst+perl-App-cpanminus.*&type=code , e.g. in https://github.com/os-autoinst/os-autoinst/blob/b4cc32462b7dc6ae196455325b8a4495d18bc62c/tools/container_run_ci and https://github.com/os-autoinst/os-autoinst-distri-openQA/blob/53747261a2e74bd4788b23e0b101a95ca962eabf/tests/install/openqa_webui.pm so we should look to assess the situation, find mitigations or suggest a way to have a fixed version of perl-App-cpanminus. As I see sufficient activity in https://github.com/miyagawa/cpanminus/commits/devel maybe we should switch the package to checkout from that branch instead of CPAN releases.

Acceptance criteria

  • AC1: openQA is not vulnerable to any of the mentioned CVEs
  • AC2: The package perl-App-cpanminus has not been removed from Factory (or we are using an alternative like curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org ...)
Actions

Also available in: Atom PDF