-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
resurrect perl-5.36 to ease perl upgrades
- Loading branch information
Showing
3 changed files
with
907 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,3 @@ | ||
| DIST perl-5.36.0-patches-1.tar.xz 20352 BLAKE2B f5413c75c5bbced230ad7fa692998caef8e4041f3394ae5212dc2aaee465de619b56cf07551be1bb36f2e06b9ed7d0ddda31ad4a7ec81d5c0c64b698ddd80379 SHA512 ab24577b6d71a13d9ccf272efa0881b29933b6a39532ca0d71d4c9a134f451bbe5f3d87c6c851f26114702ac3f92af5c5a72129a458ebee31e372106955eb157 | ||
| DIST perl-5.36.1.tar.xz 13053604 BLAKE2B baab610d16e444338ad7d529bad6a88e12010786bd25f2ab117ab4dd636859ff862cb925700095434f05a802bea5b89a9d41769f26bdbae439443020950882bd SHA512 8d1ec654c59d078bfc477f11c9526233199a85e4d4f6f5a55bf9eb7802cd355189c669cc6785d2d5e741c1de4d740b7a0cfd3c0198122586a07ac7f527fb14af | ||
| DIST perl-cross-1.4.1.tar.gz 117688 BLAKE2B e01103fb92764213dafb1ab92954fdc4bdcf1bd71a0064279ee75fed55a1c71850eaabdf667d6ab1c15eadccf7497668e5bb5ab13de33fef707fba14bfd52912 SHA512 5f403d3a52f724383d25c23b08e8001954300fa8f07a5b49df440ef4d06ef756404a6e448093c4f4d4f9a470b1c3f2b1b8b27d3d227ac1823552f6a377edd06a |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| Source: | ||
| https://github.com/NixOS/nixpkgs/blob/5b709277f48df630c8fa7aab0cf6157f71a5b45c/pkgs/development/interpreters/perl/http-tiny-verify-ssl-by-default.patch | ||
|
|
||
| Bug: https://bugs.gentoo.org/905296 | ||
| See-also: https://github.com/chansen/p5-http-tiny/pull/151 | ||
| See-also: https://github.com/chansen/p5-http-tiny/issues/152 | ||
| See-also: https://www.openwall.com/lists/oss-security/2023/04/18/14 | ||
| -- | ||
| Patch for HTTP::Tiny that defaults verify_SSL to 1 | ||
|
|
||
| Based on proposed Debian patch by Dominic Hargreaves: | ||
| https://salsa.debian.org/perl-team/interpreter/perl/-/commit/1490431e40e22052f75a0b3449f1f53cbd27ba92 | ||
| --- a/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
| +++ b/cpan/HTTP-Tiny/lib/HTTP/Tiny.pm | ||
| @@ -41,7 +41,7 @@ sub _croak { require Carp; Carp::croak(@_) } | ||
| #pod read or write takes longer than the timeout, the request response status code | ||
| #pod will be 599. | ||
| #pod * C<verify_SSL> — A boolean that indicates whether to validate the SSL | ||
| -#pod certificate of an C<https> — connection (default is false) | ||
| +#pod certificate of an C<https> — connection (default is true) | ||
| #pod * C<SSL_options> — A hashref of C<SSL_*> — options to pass through to | ||
| #pod L<IO::Socket::SSL> | ||
| #pod | ||
| @@ -115,7 +115,7 @@ sub new { | ||
| max_redirect => 5, | ||
| timeout => defined $args{timeout} ? $args{timeout} : 60, | ||
| keep_alive => 1, | ||
| - verify_SSL => $args{verify_SSL} || $args{verify_ssl} || 0, # no verification by default | ||
| + verify_SSL => $args{verify_SSL} // $args{verify_ssl} // 1, # verification by default | ||
| no_proxy => $ENV{no_proxy}, | ||
| }; | ||
|
|
||
| @@ -1055,7 +1055,7 @@ sub new { | ||
| timeout => 60, | ||
| max_line_size => 16384, | ||
| max_header_lines => 64, | ||
| - verify_SSL => 0, | ||
| + verify_SSL => 1, | ||
| SSL_options => {}, | ||
| %args | ||
| }, $class; | ||
| @@ -1797,7 +1797,7 @@ C<timeout> — Request timeout in seconds (default is 60) If a socket open, read | ||
|
|
||
| =item * | ||
|
|
||
| -C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is false) | ||
| +C<verify_SSL> — A boolean that indicates whether to validate the SSL certificate of an C<https> — connection (default is true) | ||
|
|
||
| =item * | ||
|
|
||
| @@ -2069,7 +2069,7 @@ Verification of server identity | ||
|
|
||
| =back | ||
|
|
||
| -B<By default, HTTP::Tiny does not verify server identity>. | ||
| +B<By default, HTTP::Tiny in Gentoo verifies server identity>. | ||
|
|
||
| Server identity verification is controversial and potentially tricky because it | ||
| depends on a (usually paid) third-party Certificate Authority (CA) trust model | ||
| @@ -2077,16 +2077,14 @@ to validate a certificate as legitimate. This discriminates against servers | ||
| with self-signed certificates or certificates signed by free, community-driven | ||
| CA's such as L<CAcert.org|http://cacert.org>. | ||
|
|
||
| -By default, HTTP::Tiny does not make any assumptions about your trust model, | ||
| -threat level or risk tolerance. It just aims to give you an encrypted channel | ||
| -when you need one. | ||
| - | ||
| Setting the C<verify_SSL> attribute to a true value will make HTTP::Tiny verify | ||
| that an SSL connection has a valid SSL certificate corresponding to the host | ||
| name of the connection and that the SSL certificate has been verified by a CA. | ||
| Assuming you trust the CA, this will protect against a L<man-in-the-middle | ||
| -attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. If you are | ||
| -concerned about security, you should enable this option. | ||
| +attack|http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. | ||
| + | ||
| +If you are not concerned about security, and this default in Gentoo causes | ||
| +problems, you should disable this option. | ||
|
|
||
| Certificate verification requires a file containing trusted CA certificates. | ||
|
|
Oops, something went wrong.