Why does a new version of perl-HTTP-Tiny now depend on a ton of new Perl subpackages? Could this please be made optional? # dnf update perl-HTTP-Tiny Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Upgrading: perl-HTTP-Tiny noarch 0.086-2.fc38 updates 55 k Installing dependencies: perl-AutoLoader noarch 5.74-497.fc38 updates 22 k perl-Digest noarch 1.20-490.fc38 fedora 25 k perl-Digest-MD5 x86_64 2.58-490.fc38 fedora 36 k perl-IO-Socket-IP noarch 0.41-492.fc38 fedora 41 k perl-IO-Socket-SSL noarch 2.081-1.fc38 fedora 227 k perl-Mozilla-CA noarch 20221114-2.fc38 fedora 12 k perl-Net-SSLeay x86_64 1.92-5.fc38 fedora 361 k perl-URI noarch 5.17-2.fc38 fedora 120 k perl-base noarch 2.27-497.fc38 updates 17 k perl-libnet noarch 3.15-1.fc38 fedora 128 k Transaction Summary ================================================================================ Install 10 Packages Upgrade 1 Package Total download size: 1.0 M Is this ok [y/N]: Operation aborted. This looks totally excessive and unnecessary.
perl-HTTP-Tiny-0.086-1.fc38 did not have all these dependencies. What's changed?
I'm looking at 58e6bc68c2b34a584f1cfe4a04bd54afee0ef699 and all the dependencies have been added manually. That's weird. I thought rpmbuild takes care of that.
The new dependencies were added for fix of CVE-2023-31486 in version 0.083. 0.083 2023-06-11 07:05:45-04:00 America/New_York (TRIAL RELEASE) [!!! SECURITY !!!] - Changes the `verify_SSL` default parameter from `0` to `1`. Fixes CVE-2023-31486. - `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` can be used to restore the old default if required. perl(IO::Socket::SSL), perl(Mozilla::CA) and perl(Net::SSLeay) was changed from recommends to requires to have SSL support available since `verify_SSL` is true. I should update the dependencies when I updated perl-HTTP-Tiny to 0.084 but I forgot. So, that is the reason, why I did it now.
Understood though it could have been done via recommends for all I know. I do not use this package, neither do most of its users. It means you're foisting off 10 new packages on all systems because a small percentage of them actually use perl-HTTP-Tiny. OK, that'll be another package with broken deps on my system.
Let's look at it differently: # rpm -e perl-HTTP-Tiny error: Failed dependencies: perl(HTTP::Tiny) is needed by (installed) perl-Pod-Perldoc-3.28.01-491.fc38.noarch Is it possible instead to make perl-HTTP-Tiny a recommended package for `perl-Pod-Perldoc` instead? I seriously doubt an average Fedora user even reads _online_ Perl man pages. That looks totally unnecessary.
> - Changes the `verify_SSL` default parameter from `0` to `1`. > Fixes CVE-2023-31486. This does not mean that IO::Socket::SSL is now required. This only means that if IO::Socket::SSL is used, then a certificate is verified. If an https URL is passed to HTTP::Tiny, and IO::Socket::SSL is unavailable, then HTTP::Tiny graciously fails. From HTTP::Tiny POD: TLS/SSL SUPPORT Direct "https" connections are supported only if IO::Socket::SSL 1.56 or greater and Net::SSLeay 1.49 or greater are installed. An error will occur if new enough versions of these modules are not installed or if the TLS encryption fails. You can also use HTTP::Tiny::can_ssl() utility function that returns boolean to see if the required modules are installed. Changing the dependency from Recommends to Requires has no influence on CVE-2023-31486. Maybe we could use the same approach as with LWP (perl-LWP-Protocol-https): Keep HTTP::Tiny free from IO::Socket::SSL and instead introduce a new RPM dependency symbol meaning "I want HTTP::Tiny with TLS support". That new dependency symbol would pull HTTP::Tiny with IO::Socket::SSL. That new dependency symbol would be imposed on packages which are required to process HTTPS connections, like perl-CPAN now.
(In reply to Artem S. Tashkinov from comment #5) > Let's look at it differently: > > # rpm -e perl-HTTP-Tiny > error: Failed dependencies: > perl(HTTP::Tiny) is needed by (installed) > perl-Pod-Perldoc-3.28.01-491.fc38.noarch > > Is it possible instead to make perl-HTTP-Tiny a recommended package for > `perl-Pod-Perldoc` instead? Please, don't mix issues. This your idea is for perl-Pod-Perldoc package.
In Fedora 40 perl-base is now needed for perl-Getopt-Long-1:2.57-3.fc40.noarch So the list has become shorter: perl-AutoLoader perl-Digest perl-Digest-MD5 perl-IO-Socket-IP perl-IO-Socket-SSL perl-Mozilla-CA perl-Net-SSLeay perl-URI perl-libnet Still I'm perplexed about this: rpm -e perl-HTTP-Tiny error: Failed dependencies: perl(HTTP::Tiny) is needed by (installed) perl-Pod-Perldoc-3.28.01-503.fc40.noarch Why would a package showing docs need a HTTP client? perldoc looks up a piece of documentation in POD format that is embedded in the perl installation tree or in a Perl script, and displays it via "groff -man | $PAGER". This is primarily used for the documentation for the Perl library modules. Is the HTTP client really needed or it could be made optional?
(In reply to Artem S. Tashkinov from comment #8) > > Why would a package showing docs need a HTTP client? It is possible (and documented) to run "perldoc URL". See https://metacpan.org/dist/Pod-Perldoc/source/lib/Pod/Perldoc.pm#L271 > Is the HTTP client really needed or it could be made optional? I do not see Pod::Perldoc handling gracefully the fact that HTTP::Tiny is not installed.