%PDF- %PDF-
Direktori : /usr/local/share/perl5/Alien/Build/Manual/ |
Current File : //usr/local/share/perl5/Alien/Build/Manual/Security.pod |
# PODNAME: Alien::Build::Manual::Security # ABSTRACT: General alien author documentation # VERSION __END__ =pod =encoding UTF-8 =head1 NAME Alien::Build::Manual::Security - General alien author documentation =head1 VERSION version 2.74 =head1 SYNOPSIS perldoc Alien::Build::Manual::Security =head1 DESCRIPTION You are rightly concerned that an L<Alien> might be downloading something random off the internet. This manual will describe some of the real risks and go over how you can mitigate them. =head2 no warranty L<Alien::Build> provides L<Alien> authors with tools to add external non-Perl dependencies to CPAN modules. It is open source software that is entirely volunteer driven, meaning the people writing this software are not getting compensated monetarily for the work. As such, we do our best not to intentionally introduce security vulnerabilities into our modules, or their dependencies. But it is also not our responsibility either. If you are operating in an environment where you need absolute security, you need to carefully audit I<all> of the software that you use. =head2 L<Alien::Build> vs. L<CPAN> I suppose you could argue that L<Alien::Build> based L<Alien>s and L<Alien>s in general are inherently less secure than the the Perl modules on L<CPAN> that don't download random stuff off the internet. Worse yet, L<Alien>s might be downloading from insecure sources like C<http> or C<ftp>. This argument falls apart pretty quickly when you realize that =over 4 =item 1 Perl modules from L<CPAN> are in fact random stuff off the internet. Most modules, when installed execute a C<Makefile.PL> which can execute completely arbitrary Perl code. Without a proper audit or firewalls that L<CPAN> code could be making connections to insecure sources like C<http> if they are not themselves doing something nefarious. =item 2 By default, the most frequently used L<CPAN> client L<App::cpanminus|cpanm> uses C<http> to fetch L<CPAN> modules. So unless you have specifically configured it to connect to a secure source you are downloading even more random stuff than usual off the internet. =back The TL;DR is that if you are using a Perl module, whether it be C<Foo::PP>, C<Foo::XS> or C<Alien::libfoo> and you are concerned about security you need to audit all of your Perl modules, not just the L<Alien> ones. =head2 Restricting L<Alien::Build> by environment Okay, granted you need to audit software for security regardless of if it is L<Alien>, you still don't like the idea of downloading external dependencies and you can't firewall just the L<CPAN> module installs. L<Alien::Build> based L<Alien>s respect a number of environment variables that at least give you some control over how aggresive L<Alien::Build> will be at fetching random stuff off the internet. =over 4 =item C<ALIEN_DOWNLOAD_RULE> This environment variable configures how L<Alien::Build> will deal with insecure protocols and files that do not include a cryptographic signature. Part of the design of the L<Alien::Build> system is that it typically tries to download the latest version of a package instead of a fixed version, so that the L<Alien> doesn't need to be updated when a new alienized package is released. This means that we frequently have to rely on TLS or bundled alienized packages to ensure that the alienized package is fetched securely. Recently (as of L<Alien::Build> 2.59) we started supporting cryptographic signatures defined in L<alienfile>s, but they are not yet very common, and they only really work when a single alienized package URL is hard coded into the L<alienfile> instead of the more typical mode of operation where the latest version is downloaded. =over 4 =item warn This mode will warn you if an L<Alien::Build> based L<Alien> attempts to fetch a alienized package insecurely. It will also warn you if a package doesn't have a cryptographic signature. Neither of these things wild stop the L<Alien> from being installed. This is unfortunately currently the default mode of L<Alien::Build>, for historical reasons. Once plugins and L<Alien>s are updated to either use secure fetch (TLS or bundled alienized packages), or cryptographic signatures, the default will be changed to C<digest_or_encrypt>. =item digest_or_encrypt This mode will require that before an alienized package is extracted that it is either fetched via a secure protocol (C<http> or C<file>), or the package matches a cryptographic signature. This will likely be the default for L<Alien::Build> in the near future, but it doesn't hurt to set it now, if you don't mind submitting tickets to L<Alien>s or L<plugins|Alien::Build::Plugin> that don't support this mode yet. =back =item C<ALIEN_INSTALL_NETWORK> By design L<Alien>s should use local installs of libraries and tools before downloading source from the internet. Setting this environment variable to false, will instruct L<Alien::Build> to not attempt to fetch the alienized package off the internet if it is not available locally or as a bundled package. This is similar to setting C<ALIEN_INSTALL_TYPE> to C<system> (see below), except it does allow L<Alien>s that bundle their alienized package inside the L<CPAN> package tarball. Some L<Alien>s will not install properly at first, but when they error you can install the system package and try to re-install the L<Alien>. =item C<ALIEN_INSTALL_TYPE> Setting C<ALIEN_INSTALL_TYPE> to C<system> is similar to setting C<ALIEN_INSTALL_NETWORK> to false, except that bundled alienized packages will also be rejected. This environment variable is really intended for use by operating system vendors packaging L<Alien>s, or for L<Alien> developer testing (in CI for example). For some who want to restrict how L<Alien>s install this might be the right tool to reach for. =back Note that this is definitely best effort. If the L<Alien> author makes a mistake or is malicious they could override these environment variables inside the C<Makefile.PL>, so you still need to audit any software to ensure that it doesn't fetch source off the internet. =head2 Security Related Plugins There are a number of plugins that give the user or installer control over how L<Alien::Build> behaves, and may be useful for rudimentary security. =over 4 =item L<Alien::Build::Plugin::Fetch::Prompt> This plugin will prompt before fetching any remote files. This only really works when you are installing L<Alien>s interactively. =item L<Alien::Build::Plugin::Fetch::HostAllowList> This plugin will only allow fetching from hosts that are in an allow list. =item L<Alien::Build::Plugin::Fetch::HostBlockList> This plugin will not allow fetching from hosts that are in a block list. =item L<Alien::Build::Plugin::Fetch::Rewrite> This plugin can re-write fetched URLs before the request is made. This can be useful if you have a local mirror of certain sources that you want to use instead of fetching from the wider internet. =item L<Alien::Build::Plugin::Probe::Override> This plugin can override the C<ALIEN_INSTALL_TYPE> on a perl-Alien basis. This can be useful if you want to install some L<Alien>s in C<share> mode, but generally want to enforce C<system> mode. =back =head2 local configuration You can configure the way L<Alien::Build> based L<Alien>s are installed with the local configuration file C<~/.alienbuild/rc.pl>. See L<Alien::Build::rc> for details. =head1 CAVEATS This whole document is caveats, but if you haven't gotten it by now then, fundamentally if you need to use Perl modules securely then you need to audit the code for security vulnerabilities. If you think that the security of L<Alien::Build> and the L<Alien>s that depend on it, then I<patches welcome>. =head1 SEE ALSO =over 4 =item L<Alien::Build::Manual> Other L<Alien::Build> manuals. =back =head1 AUTHOR Author: Graham Ollis E<lt>plicease@cpan.orgE<gt> Contributors: Diab Jerius (DJERIUS) Roy Storey (KIWIROY) Ilya Pavlov David Mertens (run4flat) Mark Nunberg (mordy, mnunberg) Christian Walde (Mithaldu) Brian Wightman (MidLifeXis) Zaki Mughal (zmughal) mohawk (mohawk2, ETJ) Vikas N Kumar (vikasnkumar) Flavio Poletti (polettix) Salvador Fandiño (salva) Gianni Ceccarelli (dakkar) Pavel Shaydo (zwon, trinitum) Kang-min Liu (劉康民, gugod) Nicholas Shipp (nshp) Juan Julián Merelo Guervós (JJ) Joel Berger (JBERGER) Petr Písař (ppisar) Lance Wicks (LANCEW) Ahmad Fatoum (a3f, ATHREEF) José Joaquín Atria (JJATRIA) Duke Leto (LETO) Shoichi Kaji (SKAJI) Shawn Laffan (SLAFFAN) Paul Evans (leonerd, PEVANS) Håkon Hægland (hakonhagland, HAKONH) nick nauwelaerts (INPHOBIA) Florian Weimer =head1 COPYRIGHT AND LICENSE This software is copyright (c) 2011-2022 by Graham Ollis. This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself. =cut