Package: libmetacpan-client-perl Severity: important Dear maintainer,
Your package uses the Perl module HTTP::Tiny (and refers to the secure URL https://metacpan.org) but does not set the verify_SSL attribute to a true value. By default, that module does not validate the identity of server certificates. The documentation states that "Server identity verification is controversial and potentially tricky..." [1] As late as 2015, upstream has been doubling up: "we're not going to be responsible for the user's trust model" [2] I believe, on the other hand, that the encryption of a transmission has no value when talking to the wrong person. You can easily see the useless and dangerous default by running the script at the end of this message. Will you please turn on the verify_SSL attribute in HTTP::Tiny? Kind regards Felix Lechner [1] https://metacpan.org/pod/HTTP::Tiny#SSL-SUPPORT [2] https://github.com/chansen/p5-http-tiny/issues/68 * * * #!/usr/bin/perl use HTTP::Tiny; my $response = HTTP::Tiny->new->get('https://self-signed.badssl.com/'); die "Failed!\n" unless $response->{success}; print "$response->{status} $response->{reason}\n"; while (my ($k, $v) = each %{$response->{headers}}) { for (ref $v eq 'ARRAY' ? @$v : $v) { print "$k: $_\n"; } } print $response->{content} if length $response->{content};
