Bug 2230255

Summary:	perl-HTTP-Tiny: a ton of new dependencies all of a sudden?
Product:	[Fedora] Fedora	Reporter:	Artem S. Tashkinov <aros>
Component:	perl-HTTP-Tiny	Assignee:	Michal Josef Spacek <mspacek>
Status:	ASSIGNED ---	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	38	CC:	jplesnik, mspacek, perl-devel, ppisar
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-08-09 08:52:46 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Artem S. Tashkinov 2023-08-09 07:21:50 UTC

Why does a new version of perl-HTTP-Tiny now depend on a ton of new Perl subpackages?

Could this please be made optional?

# dnf update perl-HTTP-Tiny
Dependencies resolved.
================================================================================
 Package                 Arch        Version                 Repository    Size
================================================================================
Upgrading:
 perl-HTTP-Tiny          noarch      0.086-2.fc38            updates       55 k
Installing dependencies:
 perl-AutoLoader         noarch      5.74-497.fc38           updates       22 k
 perl-Digest             noarch      1.20-490.fc38           fedora        25 k
 perl-Digest-MD5         x86_64      2.58-490.fc38           fedora        36 k
 perl-IO-Socket-IP       noarch      0.41-492.fc38           fedora        41 k
 perl-IO-Socket-SSL      noarch      2.081-1.fc38            fedora       227 k
 perl-Mozilla-CA         noarch      20221114-2.fc38         fedora        12 k
 perl-Net-SSLeay         x86_64      1.92-5.fc38             fedora       361 k
 perl-URI                noarch      5.17-2.fc38             fedora       120 k
 perl-base               noarch      2.27-497.fc38           updates       17 k
 perl-libnet             noarch      3.15-1.fc38             fedora       128 k

Transaction Summary
================================================================================
Install  10 Packages
Upgrade   1 Package

Total download size: 1.0 M
Is this ok [y/N]: 
Operation aborted.

This looks totally excessive and unnecessary.

Comment 1 Artem S. Tashkinov 2023-08-09 07:27:24 UTC

perl-HTTP-Tiny-0.086-1.fc38 did not have all these dependencies. What's changed?

Comment 2 Artem S. Tashkinov 2023-08-09 07:32:54 UTC

I'm looking at 58e6bc68c2b34a584f1cfe4a04bd54afee0ef699 and all the dependencies have been added manually.

That's weird.

I thought rpmbuild takes care of that.

Comment 3 Jitka Plesnikova 2023-08-09 08:52:46 UTC

The new dependencies were added for fix of CVE-2023-31486 in version 0.083.

0.083     2023-06-11 07:05:45-04:00 America/New_York (TRIAL RELEASE)

    [!!! SECURITY !!!]
 
    - Changes the `verify_SSL` default parameter from `0` to `1`.
      Fixes CVE-2023-31486.
 
    - `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` can be used to restore the
      old default if required.

perl(IO::Socket::SSL), perl(Mozilla::CA) and perl(Net::SSLeay) was changed from recommends to requires to have SSL support available since `verify_SSL` is true.

I should update the dependencies when I updated perl-HTTP-Tiny to 0.084 but I forgot. So, that is the reason, why I did it now.

Comment 4 Artem S. Tashkinov 2023-08-09 09:24:38 UTC

Understood though it could have been done via recommends for all I know.

I do not use this package, neither do most of its users.

It means you're foisting off 10 new packages on all systems because a small percentage of them actually use perl-HTTP-Tiny.

OK, that'll be another package with broken deps on my system.

Comment 5 Artem S. Tashkinov 2023-08-09 09:27:34 UTC

Let's look at it differently:

# rpm -e perl-HTTP-Tiny
error: Failed dependencies:
	perl(HTTP::Tiny) is needed by (installed) perl-Pod-Perldoc-3.28.01-491.fc38.noarch

Is it possible instead to make perl-HTTP-Tiny a recommended package for `perl-Pod-Perldoc` instead?

I seriously doubt an average Fedora user even reads _online_ Perl man pages. That looks totally unnecessary.

Comment 6 Petr Pisar 2023-08-09 10:53:11 UTC

>    - Changes the `verify_SSL` default parameter from `0` to `1`.
>      Fixes CVE-2023-31486.

This does not mean that IO::Socket::SSL is now required. This only means that if IO::Socket::SSL is used, then a certificate is verified. If an https URL is passed to HTTP::Tiny, and IO::Socket::SSL is unavailable, then HTTP::Tiny graciously fails. From HTTP::Tiny POD:

TLS/SSL SUPPORT
    Direct "https" connections are supported only if IO::Socket::SSL 1.56 or
    greater and Net::SSLeay 1.49 or greater are installed. An error will
    occur if new enough versions of these modules are not installed or if
    the TLS encryption fails. You can also use HTTP::Tiny::can_ssl() utility
    function that returns boolean to see if the required modules are
    installed.

Changing the dependency from Recommends to Requires has no influence on CVE-2023-31486.


Maybe we could use the same approach as with LWP (perl-LWP-Protocol-https): Keep HTTP::Tiny free from IO::Socket::SSL and instead introduce a new RPM dependency symbol meaning "I want HTTP::Tiny with TLS support". That new dependency symbol would pull HTTP::Tiny with IO::Socket::SSL. That new dependency symbol would be imposed on packages which are required to process HTTPS connections, like perl-CPAN now.

Comment 7 Michal Josef Spacek 2023-08-09 18:40:16 UTC

(In reply to Artem S. Tashkinov from comment #5)
> Let's look at it differently:
> 
> # rpm -e perl-HTTP-Tiny
> error: Failed dependencies:
> 	perl(HTTP::Tiny) is needed by (installed)
> perl-Pod-Perldoc-3.28.01-491.fc38.noarch
> 
> Is it possible instead to make perl-HTTP-Tiny a recommended package for
> `perl-Pod-Perldoc` instead?

Please, don't mix issues. This your idea is for perl-Pod-Perldoc package.