Project

General

Profile

action #104164

Updated by kraih 6 months ago

## Motivation
https://build.opensuse.org/request/show/940824 suggests to remove the package https://build.opensuse.org/package/show/openSUSE:Factory/perl-App-cpanminus with reasoning

> Unsafe and no release since 2018
> https://blog.hackeriet.no/cpan-signature-verification-vulnerabilities/

We use that e.g. in https://github.com/os-autoinst/openQA/search?q=cpanm in container/openqa/entrypoint.sh, tools/run-tests-within-container, dist/rpm/openQA.spec, etc. Also in os-autoinst scope https://github.com/search?q=org%3Aos-autoinst+perl-App-cpanminus.*&type=code , e.g. in https://github.com/os-autoinst/os-autoinst/blob/b4cc32462b7dc6ae196455325b8a4495d18bc62c/tools/container_run_ci and https://github.com/os-autoinst/os-autoinst-distri-openQA/blob/53747261a2e74bd4788b23e0b101a95ca962eabf/tests/install/openqa_webui.pm so we should look to assess the situation, find mitigations or suggest a way to have a fixed version of perl-App-cpanminus. As I see sufficient activity in https://github.com/miyagawa/cpanminus/commits/devel maybe we should switch the package to checkout from that branch instead of CPAN releases.

## Acceptance criteria
* **AC1:** openQA is not vulnerable to any of the mentioned CVEs
* **AC2:** The package `perl-App-cpanminus` has not been removed from Factory (or we are using an alternative like `curl -L https://cpanmin.us | perl - -M https://cpan.metacpan.org ...`)

Back