From 94ff9ccc44ecf7e1a423a0054f9c5bcdfbc0bfce Mon Sep 17 00:00:00 2001 From: Stig Palmquist Date: Mon, 19 Aug 2024 23:08:46 +0200 Subject: [PATCH 1/5] generate: hotpatch bin/cpanm to use HTTPS endpoints This commit patches out insecure http endpoints from the fatpacked `bin/cpanm` executable --- generate.pl | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/generate.pl b/generate.pl index 4b4b225..80e0984 100755 --- a/generate.pl +++ b/generate.pl @@ -91,6 +91,7 @@ sub die_with_sample { url => "https://www.cpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-1.7047.tar.gz", # sha256 taken from http://www.cpan.org/authors/id/M/MI/MIYAGAWA/CHECKSUMS sha256 => "963e63c6e1a8725ff2f624e9086396ae150db51dd0a337c3781d09a994af05a5", + patch => q[perl -pi -E 's{http://(www\.cpan\.org|backpan\.perl\.org|cpan\.metacpan\.org|fastapi\.metacpan\.org|cpanmetadb\.plackperl\.org)}{https://$1}g' bin/cpanm], }, iosocketssl => { name => "IO-Socket-SSL-2.085", @@ -325,7 +326,9 @@ =head1 DESCRIPTION && cd /usr/src \ && curl -fLO {{cpanm_dist_url}} \ && echo '{{cpanm_dist_sha256}} *{{cpanm_dist_name}}.tar.gz' | sha256sum --strict --check - \ - && tar -xzf {{cpanm_dist_name}}.tar.gz && cd {{cpanm_dist_name}} && perl bin/cpanm . && cd /root \ + && tar -xzf {{cpanm_dist_name}}.tar.gz && cd {{cpanm_dist_name}} \ + && {{cpanm_dist_patch}} \ + && perl bin/cpanm . && cd /root \ && curl -fLO '{{netssleay_dist_url}}' \ && echo '{{netssleay_dist_sha256}} *{{netssleay_dist_name}}.tar.gz' | sha256sum --strict --check - \ && cpanm --from $PWD {{netssleay_dist_name}}.tar.gz \ From b6c05282af28ab996c08069d58a370c1b52b2893 Mon Sep 17 00:00:00 2001 From: "Zak B. Elep" Date: Fri, 30 Aug 2024 07:09:03 +0000 Subject: [PATCH 2/5] build-image.yml: add tests for backpan and trial CPAN modules --- .github/workflows/build-image.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 819e3c7..8cc7fc4 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -62,11 +62,15 @@ jobs: run: | dir='${{ matrix.directory }}' img="perl:${dir//,/-}" + docker run "$img" cpanm -v Plack@0.9990 + docker run "$img" cpanm -v Crypt::Argon2@0.024 docker run "$img" cpanm -v Mojolicious - name: Run cpm install test run: | dir='${{ matrix.directory }}' img="perl:${dir//,/-}" + docker run "$img" cpm install -v Plack@0.9990 + docker run "$img" cpm install -v Crypt::Argon2@0.024 docker run "$img" cpm install -v Mojolicious - name: COPY all to default WORKDIR run: | From 7b5ce52f3db736c1cd7012570a4caf6ac5afd139 Mon Sep 17 00:00:00 2001 From: "Zak B. Elep" Date: Fri, 30 Aug 2024 07:31:40 +0000 Subject: [PATCH 3/5] build-image.yml: exempt slim images in testing additional CPAN modules --- .github/workflows/build-image.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 8cc7fc4..0b3ab82 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -62,15 +62,19 @@ jobs: run: | dir='${{ matrix.directory }}' img="perl:${dir//,/-}" - docker run "$img" cpanm -v Plack@0.9990 - docker run "$img" cpanm -v Crypt::Argon2@0.024 + if [[ "$dir" != *"slim"* ]]; then + docker run "$img" cpanm -v Plack@0.9990 + docker run "$img" cpanm -v Crypt::Argon2@0.024 + fi docker run "$img" cpanm -v Mojolicious - name: Run cpm install test run: | dir='${{ matrix.directory }}' img="perl:${dir//,/-}" - docker run "$img" cpm install -v Plack@0.9990 - docker run "$img" cpm install -v Crypt::Argon2@0.024 + if [[ "$dir" != *"slim"* ]]; then + docker run "$img" cpm install -v Plack@0.9990 + docker run "$img" cpm install -v Crypt::Argon2@0.024 + fi docker run "$img" cpm install -v Mojolicious - name: COPY all to default WORKDIR run: | From 4549856f7bab0d08b336f500131865d614e70439 Mon Sep 17 00:00:00 2001 From: "Zak B. Elep" Date: Fri, 30 Aug 2024 07:50:55 +0000 Subject: [PATCH 4/5] build-image.yml: switch Plack backpan test to Try::Tiny backpan --- .github/workflows/build-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 0b3ab82..791dbb0 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -63,7 +63,7 @@ jobs: dir='${{ matrix.directory }}' img="perl:${dir//,/-}" if [[ "$dir" != *"slim"* ]]; then - docker run "$img" cpanm -v Plack@0.9990 + docker run "$img" cpanm -v Try::Tiny@0.30 docker run "$img" cpanm -v Crypt::Argon2@0.024 fi docker run "$img" cpanm -v Mojolicious @@ -72,7 +72,7 @@ jobs: dir='${{ matrix.directory }}' img="perl:${dir//,/-}" if [[ "$dir" != *"slim"* ]]; then - docker run "$img" cpm install -v Plack@0.9990 + docker run "$img" cpm install -v Try::Tiny@0.30 docker run "$img" cpm install -v Crypt::Argon2@0.024 fi docker run "$img" cpm install -v Mojolicious From 4a473e9addbf7194c26f5bc6a2c0d98fbb7fd20d Mon Sep 17 00:00:00 2001 From: "Zak B. Elep" Date: Fri, 30 Aug 2024 08:13:45 +0000 Subject: [PATCH 5/5] build-image.yml: Replace Crypt::Argon2 trial test with Net::DNS dev test --- .github/workflows/build-image.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-image.yml b/.github/workflows/build-image.yml index 791dbb0..76be54e 100644 --- a/.github/workflows/build-image.yml +++ b/.github/workflows/build-image.yml @@ -64,7 +64,7 @@ jobs: img="perl:${dir//,/-}" if [[ "$dir" != *"slim"* ]]; then docker run "$img" cpanm -v Try::Tiny@0.30 - docker run "$img" cpanm -v Crypt::Argon2@0.024 + docker run "$img" cpanm -v Net::DNS@1.45_02 fi docker run "$img" cpanm -v Mojolicious - name: Run cpm install test @@ -73,7 +73,7 @@ jobs: img="perl:${dir//,/-}" if [[ "$dir" != *"slim"* ]]; then docker run "$img" cpm install -v Try::Tiny@0.30 - docker run "$img" cpm install -v Crypt::Argon2@0.024 + docker run "$img" cpm install -v Net::DNS@1.45_02 fi docker run "$img" cpm install -v Mojolicious - name: COPY all to default WORKDIR