1Alien::Build::Manual::SUesceurriCtoyn(t3r)ibuted Perl DoAcluimeenn:t:aBtuiiolnd::Manual::Security(3)
2
3
4

NAME

6       Alien::Build::Manual::Security - General alien author documentation
7

VERSION

9       version 2.77
10

SYNOPSIS

12        perldoc Alien::Build::Manual::Security
13

DESCRIPTION

15       You are rightly concerned that an Alien might be downloading something
16       random off the internet.  This manual will describe some of the real
17       risks and go over how you can mitigate them.
18
19   no warranty
20       Alien::Build provides Alien authors with tools to add external non-Perl
21       dependencies to CPAN modules.  It is open source software that is
22       entirely volunteer driven, meaning the people writing this software are
23       not getting compensated monetarily for the work.  As such, we do our
24       best not to intentionally introduce security vulnerabilities into our
25       modules, or their dependencies.  But it is also not our responsibility
26       either.  If you are operating in an environment where you need absolute
27       security, you need to carefully audit all of the software that you use.
28
29   Alien::Build vs. CPAN
30       I suppose you could argue that Alien::Build based Aliens and Aliens in
31       general are inherently less secure than the the Perl modules on CPAN
32       that don't download random stuff off the internet.  Worse yet, Aliens
33       might be downloading from insecure sources like "http" or "ftp".
34
35       This argument falls apart pretty quickly when you realize that
36
37       1.  Perl modules from CPAN are in fact random stuff off the internet.
38           Most modules, when installed execute a "Makefile.PL" which can
39           execute completely arbitrary Perl code.  Without a proper audit or
40           firewalls that CPAN code could be making connections to insecure
41           sources like "http" if they are not themselves doing something
42           nefarious.
43
44       2.  By default, the most frequently used CPAN client App::cpanminus
45           uses "http" to fetch CPAN modules.  So unless you have specifically
46           configured it to connect to a secure source you are downloading
47           even more random stuff than usual off the internet.
48
49       The TL;DR is that if you are using a Perl module, whether it be
50       "Foo::PP", "Foo::XS" or "Alien::libfoo" and you are concerned about
51       security you need to audit all of your Perl modules, not just the Alien
52       ones.
53
54   Restricting Alien::Build by environment
55       Okay, granted you need to audit software for security regardless of if
56       it is Alien, you still don't like the idea of downloading external
57       dependencies and you can't firewall just the CPAN module installs.
58
59       Alien::Build based Aliens respect a number of environment variables
60       that at least give you some control over how aggresive Alien::Build
61       will be at fetching random stuff off the internet.
62
63       "ALIEN_DOWNLOAD_RULE"
64           This environment variable configures how Alien::Build will deal
65           with insecure protocols and files that do not include a
66           cryptographic signature.
67
68           Part of the design of the Alien::Build system is that it typically
69           tries to download the latest version of a package instead of a
70           fixed version, so that the Alien doesn't need to be updated when a
71           new alienized package is released.  This means that we frequently
72           have to rely on TLS or bundled alienized packages to ensure that
73           the alienized package is fetched securely.
74
75           Recently (as of Alien::Build 2.59) we started supporting
76           cryptographic signatures defined in alienfiles, but they are not
77           yet very common, and they only really work when a single alienized
78           package URL is hard coded into the alienfile instead of the more
79           typical mode of operation where the latest version is downloaded.
80
81           warn
82               This mode will warn you if an Alien::Build based Alien attempts
83               to fetch a alienized package insecurely.  It will also warn you
84               if a package doesn't have a cryptographic signature.  Neither
85               of these things wild stop the Alien from being installed.
86
87               This is unfortunately currently the default mode of
88               Alien::Build, for historical reasons.  Once plugins and Aliens
89               are updated to either use secure fetch (TLS or bundled
90               alienized packages), or cryptographic signatures, the default
91               will be changed to "digest_or_encrypt".
92
93           digest_or_encrypt
94               This mode will require that before an alienized package is
95               extracted that it is either fetched via a secure protocol
96               ("http" or "file"), or the package matches a cryptographic
97               signature.
98
99               This will likely be the default for Alien::Build in the near
100               future, but it doesn't hurt to set it now, if you don't mind
101               submitting tickets to Aliens or plugins that don't support this
102               mode yet.
103
104       "ALIEN_INSTALL_NETWORK"
105           By design Aliens should use local installs of libraries and tools
106           before downloading source from the internet.  Setting this
107           environment variable to false, will instruct Alien::Build to not
108           attempt to fetch the alienized package off the internet if it is
109           not available locally or as a bundled package.
110
111           This is similar to setting "ALIEN_INSTALL_TYPE" to "system" (see
112           below), except it does allow Aliens that bundle their alienized
113           package inside the CPAN package tarball.
114
115           Some Aliens will not install properly at first, but when they error
116           you can install the system package and try to re-install the Alien.
117
118       "ALIEN_INSTALL_TYPE"
119           Setting "ALIEN_INSTALL_TYPE" to "system" is similar to setting
120           "ALIEN_INSTALL_NETWORK" to false, except that bundled alienized
121           packages will also be rejected.  This environment variable is
122           really intended for use by operating system vendors packaging
123           Aliens, or for Alien developer testing (in CI for example).  For
124           some who want to restrict how Aliens install this might be the
125           right tool to reach for.
126
127       Note that this is definitely best effort.  If the Alien author makes a
128       mistake or is malicious they could override these environment variables
129       inside the "Makefile.PL", so you still need to audit any software to
130       ensure that it doesn't fetch source off the internet.
131
132   Security Related Plugins
133       There are a number of plugins that give the user or installer control
134       over how Alien::Build behaves, and may be useful for rudimentary
135       security.
136
137       Alien::Build::Plugin::Fetch::Prompt
138           This plugin will prompt before fetching any remote files.  This
139           only really works when you are installing Aliens interactively.
140
141       Alien::Build::Plugin::Fetch::HostAllowList
142           This plugin will only allow fetching from hosts that are in an
143           allow list.
144
145       Alien::Build::Plugin::Fetch::HostBlockList
146           This plugin will not allow fetching from hosts that are in a block
147           list.
148
149       Alien::Build::Plugin::Fetch::Rewrite
150           This plugin can re-write fetched URLs before the request is made.
151           This can be useful if you have a local mirror of certain sources
152           that you want to use instead of fetching from the wider internet.
153
154       Alien::Build::Plugin::Probe::Override
155           This plugin can override the "ALIEN_INSTALL_TYPE" on a perl-Alien
156           basis.  This can be useful if you want to install some Aliens in
157           "share" mode, but generally want to enforce "system" mode.
158
159   local configuration
160       You can configure the way Alien::Build based Aliens are installed with
161       the local configuration file "~/.alienbuild/rc.pl".  See
162       Alien::Build::rc for details.
163

CAVEATS

165       This whole document is caveats, but if you haven't gotten it by now
166       then, fundamentally if you need to use Perl modules securely then you
167       need to audit the code for security vulnerabilities.  If you think that
168       the security of Alien::Build and the Aliens that depend on it, then
169       patches welcome.
170

SEE ALSO

172       Alien::Build::Manual
173           Other Alien::Build manuals.
174

AUTHOR

176       Author: Graham Ollis <plicease@cpan.org>
177
178       Contributors:
179
180       Diab Jerius (DJERIUS)
181
182       Roy Storey (KIWIROY)
183
184       Ilya Pavlov
185
186       David Mertens (run4flat)
187
188       Mark Nunberg (mordy, mnunberg)
189
190       Christian Walde (Mithaldu)
191
192       Brian Wightman (MidLifeXis)
193
194       Zaki Mughal (zmughal)
195
196       mohawk (mohawk2, ETJ)
197
198       Vikas N Kumar (vikasnkumar)
199
200       Flavio Poletti (polettix)
201
202       Salvador Fandiño (salva)
203
204       Gianni Ceccarelli (dakkar)
205
206       Pavel Shaydo (zwon, trinitum)
207
208       Kang-min Liu (劉康民, gugod)
209
210       Nicholas Shipp (nshp)
211
212       Juan Julián Merelo Guervós (JJ)
213
214       Joel Berger (JBERGER)
215
216       Petr Písař (ppisar)
217
218       Lance Wicks (LANCEW)
219
220       Ahmad Fatoum (a3f, ATHREEF)
221
222       José Joaquín Atria (JJATRIA)
223
224       Duke Leto (LETO)
225
226       Shoichi Kaji (SKAJI)
227
228       Shawn Laffan (SLAFFAN)
229
230       Paul Evans (leonerd, PEVANS)
231
232       Håkon Hægland (hakonhagland, HAKONH)
233
234       nick nauwelaerts (INPHOBIA)
235
236       Florian Weimer
237

COPYRIGHT AND LICENSE

239       This software is copyright (c) 2011-2022 by Graham Ollis.
240
241       This is free software; you can redistribute it and/or modify it under
242       the same terms as the Perl 5 programming language system itself.
243
244
245
246perl v5.36.0                      2023-01-20 Alien::Build::Manual::Security(3)