1Alien::Build::Manual::SUesceurriCtoyn(t3r)ibuted Perl DoAcluimeenn:t:aBtuiiolnd::Manual::Security(3)
2
3
4
6 Alien::Build::Manual::Security - General alien author documentation
7
9 version 2.80
10
12 perldoc Alien::Build::Manual::Security
13
15 You are rightly concerned that an Alien might be downloading something
16 random off the internet. This manual will describe some of the real
17 risks and go over how you can mitigate them.
18
19 no warranty
20 Alien::Build provides Alien authors with tools to add external non-Perl
21 dependencies to CPAN modules. It is open source software that is
22 entirely volunteer driven, meaning the people writing this software are
23 not getting compensated monetarily for the work. As such, we do our
24 best not to intentionally introduce security vulnerabilities into our
25 modules, or their dependencies. But it is also not our responsibility
26 either. If you are operating in an environment where you need absolute
27 security, you need to carefully audit all of the software that you use.
28
29 Alien::Build vs. CPAN
30 I suppose you could argue that Alien::Build based Aliens and Aliens in
31 general are inherently less secure than the the Perl modules on CPAN
32 that don't download random stuff off the internet. Worse yet, Aliens
33 might be downloading from insecure sources like "http" or "ftp".
34
35 This argument falls apart pretty quickly when you realize that
36
37 1. Perl modules from CPAN are in fact random stuff off the internet.
38 Most modules, when installed execute a "Makefile.PL" which can
39 execute completely arbitrary Perl code. Without a proper audit or
40 firewalls that CPAN code could be making connections to insecure
41 sources like "http" if they are not themselves doing something
42 nefarious.
43
44 2. By default, the most frequently used CPAN client App::cpanminus
45 uses "http" to fetch CPAN modules. So unless you have specifically
46 configured it to connect to a secure source you are downloading
47 even more random stuff than usual off the internet.
48
49 The TL;DR is that if you are using a Perl module, whether it be
50 "Foo::PP", "Foo::XS" or "Alien::libfoo" and you are concerned about
51 security you need to audit all of your Perl modules, not just the Alien
52 ones.
53
54 Restricting Alien::Build by environment
55 Okay, granted you need to audit software for security regardless of if
56 it is Alien, you still don't like the idea of downloading external
57 dependencies and you can't firewall just the CPAN module installs.
58
59 Alien::Build based Aliens respect a number of environment variables
60 that at least give you some control over how aggresive Alien::Build
61 will be at fetching random stuff off the internet.
62
63 "ALIEN_DOWNLOAD_RULE"
64 This environment variable configures how Alien::Build will deal
65 with insecure protocols and files that do not include a
66 cryptographic signature.
67
68 Part of the design of the Alien::Build system is that it typically
69 tries to download the latest version of a package instead of a
70 fixed version, so that the Alien doesn't need to be updated when a
71 new alienized package is released. This means that we frequently
72 have to rely on TLS or bundled alienized packages to ensure that
73 the alienized package is fetched securely.
74
75 Recently (as of Alien::Build 2.59) we started supporting
76 cryptographic signatures defined in alienfiles, but they are not
77 yet very common, and they only really work when a single alienized
78 package URL is hard coded into the alienfile instead of the more
79 typical mode of operation where the latest version is downloaded.
80
81 warn
82 This mode will warn you if an Alien::Build based Alien attempts
83 to fetch a alienized package insecurely. It will also warn you
84 if a package doesn't have a cryptographic signature. Neither
85 of these things wild stop the Alien from being installed.
86
87 This is unfortunately currently the default mode of
88 Alien::Build, for historical reasons. Once plugins and Aliens
89 are updated to either use secure fetch (TLS or bundled
90 alienized packages), or cryptographic signatures, the default
91 will be changed to "digest_or_encrypt".
92
93 digest_or_encrypt
94 This mode will require that before an alienized package is
95 extracted that it is either fetched via a secure protocol
96 ("http" or "file"), or the package matches a cryptographic
97 signature.
98
99 This will likely be the default for Alien::Build in the near
100 future, but it doesn't hurt to set it now, if you don't mind
101 submitting tickets to Aliens or plugins that don't support this
102 mode yet.
103
104 "ALIEN_INSTALL_NETWORK"
105 By design Aliens should use local installs of libraries and tools
106 before downloading source from the internet. Setting this
107 environment variable to false, will instruct Alien::Build to not
108 attempt to fetch the alienized package off the internet if it is
109 not available locally or as a bundled package.
110
111 This is similar to setting "ALIEN_INSTALL_TYPE" to "system" (see
112 below), except it does allow Aliens that bundle their alienized
113 package inside the CPAN package tarball.
114
115 Some Aliens will not install properly at first, but when they error
116 you can install the system package and try to re-install the Alien.
117
118 "ALIEN_INSTALL_TYPE"
119 Setting "ALIEN_INSTALL_TYPE" to "system" is similar to setting
120 "ALIEN_INSTALL_NETWORK" to false, except that bundled alienized
121 packages will also be rejected. This environment variable is
122 really intended for use by operating system vendors packaging
123 Aliens, or for Alien developer testing (in CI for example). For
124 some who want to restrict how Aliens install this might be the
125 right tool to reach for.
126
127 Note that this is definitely best effort. If the Alien author makes a
128 mistake or is malicious they could override these environment variables
129 inside the "Makefile.PL", so you still need to audit any software to
130 ensure that it doesn't fetch source off the internet.
131
132 Security Related Plugins
133 There are a number of plugins that give the user or installer control
134 over how Alien::Build behaves, and may be useful for rudimentary
135 security.
136
137 Alien::Build::Plugin::Fetch::Prompt
138 This plugin will prompt before fetching any remote files. This
139 only really works when you are installing Aliens interactively.
140
141 Alien::Build::Plugin::Fetch::HostAllowList
142 This plugin will only allow fetching from hosts that are in an
143 allow list.
144
145 Alien::Build::Plugin::Fetch::HostBlockList
146 This plugin will not allow fetching from hosts that are in a block
147 list.
148
149 Alien::Build::Plugin::Fetch::Rewrite
150 This plugin can re-write fetched URLs before the request is made.
151 This can be useful if you have a local mirror of certain sources
152 that you want to use instead of fetching from the wider internet.
153
154 Alien::Build::Plugin::Probe::Override
155 This plugin can override the "ALIEN_INSTALL_TYPE" on a perl-Alien
156 basis. This can be useful if you want to install some Aliens in
157 "share" mode, but generally want to enforce "system" mode.
158
159 local configuration
160 You can configure the way Alien::Build based Aliens are installed with
161 the local configuration file "~/.alienbuild/rc.pl". See
162 Alien::Build::rc for details.
163
165 This whole document is caveats, but if you haven't gotten it by now
166 then, fundamentally if you need to use Perl modules securely then you
167 need to audit the code for security vulnerabilities. If you think that
168 the security of Alien::Build and the Aliens that depend on it, then
169 patches welcome.
170
172 Alien::Build::Manual
173 Other Alien::Build manuals.
174
176 Author: Graham Ollis <plicease@cpan.org>
177
178 Contributors:
179
180 Diab Jerius (DJERIUS)
181
182 Roy Storey (KIWIROY)
183
184 Ilya Pavlov
185
186 David Mertens (run4flat)
187
188 Mark Nunberg (mordy, mnunberg)
189
190 Christian Walde (Mithaldu)
191
192 Brian Wightman (MidLifeXis)
193
194 Zaki Mughal (zmughal)
195
196 mohawk (mohawk2, ETJ)
197
198 Vikas N Kumar (vikasnkumar)
199
200 Flavio Poletti (polettix)
201
202 Salvador Fandiño (salva)
203
204 Gianni Ceccarelli (dakkar)
205
206 Pavel Shaydo (zwon, trinitum)
207
208 Kang-min Liu (劉康民, gugod)
209
210 Nicholas Shipp (nshp)
211
212 Juan Julián Merelo Guervós (JJ)
213
214 Joel Berger (JBERGER)
215
216 Petr Písař (ppisar)
217
218 Lance Wicks (LANCEW)
219
220 Ahmad Fatoum (a3f, ATHREEF)
221
222 José Joaquín Atria (JJATRIA)
223
224 Duke Leto (LETO)
225
226 Shoichi Kaji (SKAJI)
227
228 Shawn Laffan (SLAFFAN)
229
230 Paul Evans (leonerd, PEVANS)
231
232 Håkon Hægland (hakonhagland, HAKONH)
233
234 nick nauwelaerts (INPHOBIA)
235
236 Florian Weimer
237
239 This software is copyright (c) 2011-2022 by Graham Ollis.
240
241 This is free software; you can redistribute it and/or modify it under
242 the same terms as the Perl 5 programming language system itself.
243
244
245
246perl v5.36.1 2023-05-15 Alien::Build::Manual::Security(3)