Installation of cpanm is potentially insecure

[MartijnVdS]

Currently, the Dockerfiles fetch "cpanm" from the "master" branch on miyagawa's github account.

This means that if github or miyagawa's account is (unknowingly) compromised at the time the Docker images are built, all Perl(-based) images will contain a compromised version of cpanm.

It also makes the images non-reproducible (see https://reproducible-builds.org/ for why this is a good idea)

The sha256 of the downloaded Perl .tar.gz is already checked, for the same reasons.

[zakame]

Thanks @MartijnVdS for the report!

Yeah, I've been meaning to change how to bootstrap cpanm in too, although for another reason: cpanmin.us and/or xrl.us do go down from time to time, and thus can be potentially compromised (e.g. DNS poisoning.)

I'm thinking of copying in a known-good fatpack of cpanm here in this repo then use that to bootstrap an install of App::cpanminus from the CPAN, or just put that fatpacked cpanm in /usr/local/bin and skip installing from CPAN entirely, meaning we have a static copy that the Docker image user may choose to upgrade later; would that work for you?

[zakame]

Just re-checked, we are currently getting fatpack cpanm straight from github, but still the potential compromise can happen 😂