Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Making www.cpan.org TLS-only
2 views
Skip to first unread message
Ask Bjørn Hansen
Aug 31, 2017, 9:15:02 PM8/31/17
to cpan-w...@perl.org
Hi everyone,
We’re considering how/how-much we can make www.cpan.org TLS-only.
http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative version is to force TLS for
- any url ending in *.html
- any url not in matching some variation of
(/authors/ | /MIRRORED.BY | ^/modules/[^/]+ )
Does that sound about right? Maybe /src/, too?
(Also - we will support TLS for www.cpan.org permanently now, so please update URLs where possible and appropriate).
Ask
We’re considering how/how-much we can make www.cpan.org TLS-only.
http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
I expect that we can’t make the whole site TLS-only without breaking some CPAN clients, so the conservative version is to force TLS for
- any url ending in *.html
- any url not in matching some variation of
(/authors/ | /MIRRORED.BY | ^/modules/[^/]+ )
Does that sound about right? Maybe /src/, too?
(Also - we will support TLS for www.cpan.org permanently now, so please update URLs where possible and appropriate).
Ask
James E Keenan
Aug 31, 2017, 11:00:02 PM8/31/17
to Ask Bjørn Hansen, cpan-w...@perl.org
message. So I can't say anything one way or the other about your proposal.
I suspect I'm not alone in this. I would encourage you to post in a
location like blogs.perl.org as to what 'TLS' is, so that the census
count of the ignorant can be reduced.
Thank you very much.
Jim Keenan
Ask Bjørn Hansen
Aug 31, 2017, 11:15:02 PM8/31/17
to James E Keenan, cpan-w...@perl.org
> On Aug 31, 2017, at 19:44, James E Keenan <jke...@pobox.com> wrote:
>
> To be honest, I had no idea what 'TLS' meant when I first read this message. So I can't say anything one way or the other about your proposal.
>
> I suspect I'm not alone in this. I would encourage you to post in a location like blogs.perl.org as to what 'TLS' is, so that the census count of the ignorant can be reduced.
Ask
Henk P. Penning
Sep 1, 2017, 3:00:03 AM9/1/17
to Ask Bjørn Hansen, cpan-w...@perl.org
On Fri, 1 Sep 2017, Ask Bjørn Hansen wrote:
> Date: Fri, 1 Sep 2017 03:10:12 +0200
> From: Ask Bjørn Hansen <a...@perl.org>
> To: cpan-w...@perl.org
> Subject: Making www.cpan.org TLS-only
should be excluded too ; same stuff, only machine-readable.
> Does that sound about right? Maybe /src/, too?
It sounds arbitrary :-) ; Exceptions cause confusion.
Is it too dangerous to just do it and fix what's broken ?
You can always revert quickly.
> Ask
Regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M pen...@uu.nl \_/
> Date: Fri, 1 Sep 2017 03:10:12 +0200
> From: Ask Bjørn Hansen <a...@perl.org>
> To: cpan-w...@perl.org
> Subject: Making www.cpan.org TLS-only
>
> Hi everyone,
>
> We’re considering how/how-much we can make www.cpan.org TLS-only.
> http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
>
> I expect that we can’t make the whole site TLS-only without breaking
> some CPAN clients, so the conservative version is to force TLS for
>
> - any url ending in *.html
> - any url not in matching some variation of
> (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ )
If you exclude /MIRRORED.BY, perhaps /indices/mirrors.json
> Hi everyone,
>
> We’re considering how/how-much we can make www.cpan.org TLS-only.
> http://log.perl.org/2017/08/tls-only-for-wwwcpanorg.html
>
> I expect that we can’t make the whole site TLS-only without breaking
> some CPAN clients, so the conservative version is to force TLS for
>
> - any url ending in *.html
> - any url not in matching some variation of
> (/authors/ | /MIRRORED.BY | ^/modules/[^/]+ )
should be excluded too ; same stuff, only machine-readable.
> Does that sound about right? Maybe /src/, too?
Is it too dangerous to just do it and fix what's broken ?
You can always revert quickly.
> Ask
Regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof HFG-406 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Budapestlaan 6, 3584CD Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M pen...@uu.nl \_/
Olaf Alders
Sep 1, 2017, 1:00:02 PM9/1/17
to Ask Bjørn Hansen, Kent Fredric, cpan-workers
> On Sep 1, 2017, at 3:49 AM, Ask Bjørn Hansen <a...@perl.org> wrote:
>
> The Google change was the impetus to get around to it.
>
> Clients should use TLS to request content. It limits the trust for downloading CPAN content roughly to:
>
> - The author
> - PAUSE system maintainers
> - perl.org infrastructure maintainers
> - Fastly
> - Global CA infrastructure
>
> Without TLS you basically trust anyone with any sort of access to your internet connection to not muck with the code you receive.
>
> Obviously the real fix here is that clients need to request via TLS (since I doubt any clients other than regular browsers support HSTS).
As an (interesting?) aside, the Net::HTTP test suite just broke because of the 301 from http://www.cpan.org to https://www.cpan.org https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made some assumptions which no longer hold up. :) A fix has been released. I just point it out as an unexpected side effect of making these sorts of changes.
Olaf
David E. Wheeler
Sep 1, 2017, 4:45:03 PM9/1/17
to Ask Bjørn Hansen, cpan-w...@perl.org
Best,
David
David Cantrell
Sep 4, 2017, 9:45:02 AM9/4/17
to cpan-w...@perl.org
On Fri, Sep 01, 2017 at 12:48:02PM -0400, Olaf Alders wrote:
> As an (interesting?) aside, the Net::HTTP test suite just broke because of the 301 from http://www.cpan.org to https://www.cpan.org https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made some assumptions which no longer hold up. :) A fix has been released. I just point it out as an unexpected side effect of making these sorts of changes.
It broke CPANdeps too, which needs to fetch 02packages.details.txt.gz,
> As an (interesting?) aside, the Net::HTTP test suite just broke because of the 301 from http://www.cpan.org to https://www.cpan.org https://github.com/libwww-perl/Net-HTTP/issues/53 Obviously that test made some assumptions which no longer hold up. :) A fix has been released. I just point it out as an unexpected side effect of making these sorts of changes.
as you're using some SSL options that its openssl doesn't understand.
The long-term fix is for me to upgrade the version of Debian that
CPANdeps uses, but in the mean time can that be another file excluded
from the re-directs please.
--
David Cantrell | Pope | First Church of the Symmetrical Internet
I apologize if I offended you personally,
I intended to do it professionally.
-- Steve Champeon, on the nanog list
0 new messages