Make cpanm install more secure

[zakame]

Use a local known-good fatpacked copy of cpanm and install it instead of
fetching it from GitHub.

Fixes #39.

[tianon]

Why not instead just replace master with a known-good commit or release tag?

[zakame]

That can work too, although if I read #39 correctly it was concern about the repo (or even github itself) being compromised at the time of image build. I'd go the commit/tag route myself if it were GPG-signed (or there's some other way to externally verify the authenticity; perhaps an alternate might be to fetch from CPAN instead of GitHub, via plain cpan.)

I'm not too keen on this PR itself since we make copies of cpanm, so alternatives are very much welcome!

[tianon]

If GitHub is compromised, our whole build process is a bit sketchy (minus any hash verification Git might do internally). You could simply embed a known-good sha256 of a known-good commit of `cpanm`. By default, normal CPAN doesn't do much verification either, does it?

[zakame]

I checked CPAN, it provides a CHECKSUMS file per author that contains SHA256 for the dists, so e.g. for App-cpanminus-1.7043:

  'App-cpanminus-1.7043.tar.gz' => {
    'md5' => '067e668f287c27c96cd392cf39b7ea56',
    'md5-ungz' => '109cce105cb1eb3c4b66b348aefa25e1',
    'mtime' => '2017-04-03',
    'sha256' => '68a06f7da80882a95bc02c92c7ee305846fb6ab648cf83678ea945e44ad65c65',
    'sha256-ungz' => 'c70be8763f1322b6023435cade5bf22d26120165003f65ba089556c412cb1b89',
    'size' => 317984
  },

Normal cpan uses this for verification:

# cpan install App::cpanminus
cpan install App::cpanminus
Loading internal null logger. Install Log::Log4perl for logging messages
Fetching with HTTP::Tiny:
http://www.cpan.org/authors/01mailrc.txt.gz
Reading '/root/.cpan/sources/authors/01mailrc.txt.gz'
............................................................................DONE
Fetching with HTTP::Tiny:
http://www.cpan.org/modules/02packages.details.txt.gz
Reading '/root/.cpan/sources/modules/02packages.details.txt.gz'
  Database was generated on Wed, 16 Aug 2017 11:41:02 GMT
  HTTP::Date not available
............................................................................DONE
Fetching with HTTP::Tiny:
http://www.cpan.org/modules/03modlist.data.gz
Reading '/root/.cpan/sources/modules/03modlist.data.gz'
DONE
Writing /root/.cpan/Metadata
Running install for module 'App::cpanminus'
Fetching with HTTP::Tiny:
http://www.cpan.org/authors/id/M/MI/MIYAGAWA/App-cpanminus-1.7043.tar.gz
Fetching with HTTP::Tiny:
http://www.cpan.org/authors/id/M/MI/MIYAGAWA/CHECKSUMS
Checksum for /root/.cpan/sources/authors/id/M/MI/MIYAGAWA/App-cpanminus-1.7043.tar.gz ok
'YAML' not installed, will not store persistent state
Configuring M/MI/MIYAGAWA/App-cpanminus-1.7043.tar.gz with Makefile.PL
Checking if your kit is complete...
Looks good
Generating a Unix-style Makefile
Writing Makefile for App::cpanminus
Writing MYMETA.yml and MYMETA.json
  MIYAGAWA/App-cpanminus-1.7043.tar.gz
  /usr/local/bin/perl Makefile.PL -- OK
Running make for M/MI/MIYAGAWA/App-cpanminus-1.7043.tar.gz
cp lib/App/cpanminus.pm blib/lib/App/cpanminus.pm
cp lib/App/cpanminus/fatscript.pm blib/lib/App/cpanminus/fatscript.pm
cp bin/cpanm blib/script/cpanm
"/usr/local/bin/perl" -MExtUtils::MY -e 'MY->fixin(shift)' -- blib/script/cpanm
  MIYAGAWA/App-cpanminus-1.7043.tar.gz
  /usr/bin/make -- OK
Running make test
PERL_DL_NONLAZY=1 "/usr/local/bin/perl" "-MExtUtils::Command::MM" "-MTest::Harness" "-e" "undef *Test::Harness::Switches; test_harness(0, 'blib/lib', 'blib/arch')" t/*.t
t/happy_cpantesters.t .. 1/1 # App::cpanminus/1.7043
t/happy_cpantesters.t .. ok
All tests successful.
Files=1, Tests=1,  0 wallclock secs ( 0.02 usr  0.01 sys +  0.04 cusr  0.00 csys =  0.07 CPU)
Result: PASS
  MIYAGAWA/App-cpanminus-1.7043.tar.gz
  /usr/bin/make test -- OK
Running make install
Installing /usr/local/lib/perl5/site_perl/5.26.0/App/cpanminus.pm
Installing /usr/local/lib/perl5/site_perl/5.26.0/App/cpanminus/fatscript.pm
Installing /usr/local/bin/cpanm
Appending installation info to /usr/local/lib/perl5/5.26.0/x86_64-linux/perllocal.pod
  MIYAGAWA/App-cpanminus-1.7043.tar.gz
  /usr/bin/make install  -- OK

While it would seem we can certainly use cpan, I'll also try embedding SHA256 of cpanm@1.7043. Thanks!

[tianon]

Although it fetches that checksum via HTTP from the same (potentially compromised) host, so really only verifies transmission integrity, right? It'd probably be viable to scrape the checksum from that file and embed it here, although that'd be for the tar not the fatpack, so slightly less useful. 😇

[zakame]

Yeah, it is a bit of a bother to checksum against the dist then unpack and install, but it is doable.

I'll whip up another PR. Thanks!

[zakame]

Now unneeded since #41 is merged. Thanks!