Installing packages via PAR::WebStart
The CPAN search utility at
cpan.uwinnipeg.ca may be configured to provide links which
can launch applications to
This document describes how to set up and use this service,
as well as some of the security implications involved.
The following
steps should be carried out to prepare for using this service.
You may have to carry out some initial configuration
on your system.
- For installing CPAN modules from the sources,
make sure that either
CPAN or
CPANPLUS
is available and configued (the PAR-based application used
to install the modules will first check if CPANPLUS is available,
and if not, use CPAN). How to configure these packages is
described in their respective documentation.
- For installing Win32 ppm packages, ensure that a working
ppm ultility is available. For installing dependencies, you may
find it convenient to add the following repositories within
the ppm shell:
for ActivePerl 8xx builds, based on perl-5.8:
and for for ActivePerl 6xx builds, based on perl-5.6:
Make sure to add only those repositories corresponding to
your Perl version, as reported by C:\>perl -v.
Install
PAR::WebStart;
Win32 ppm packages for
ActivePerl 8xx and
ActivePerl 6xx
are available. Note that the
Module::Signature
dependency requires either
gnupg
or
Crypt::OpenPGP;
Win32 binary packages are available in both cases.
PAR::WebStart is a Perl implementation of
Java's WebStart. PAR-WebStart is a helper application associated
with a browser. When a user clicks on a link that points to a
PNLP [PAR Network Launch Protocol] launch file (a special XML file),
it causes the browser to launch PAR-WebStart, which then
automatically downloads, caches, and runs the specified
PAR-based
application.
Associate files with a mime-type
application/x-perl-pnlp-file and extension .pnlp
with the perlws script of PAR-WebStart. How to do this
is dependent on the operating system and browser, and
is described in more detail in the perlws documentation.
In brief:
- On Windows, run the
included pnlp_registry script in the PAR-WebStart
distribution, which will set up the needed file association
entries in the Windows registry.
- For linux, with KDE, for example, one can add a file association
by opening the File Associations menu item under
Control Center -> KDE Components. Add a new application
entry of name x-perl-pnlp-file, with filename pattern
*.pnlp. The application to handle this should be associated
with the perlws.pl script.
Enable links to launch the
appropriate applications by selecting the relevant form element
in the "Preferences" menu item of
cpan.uwinnipeg.ca; this requires that cookies be enabled
for your browser.
top
After this setup, "[install]" links will
appear within
cpan.uwinnipeg.ca of two types:
- next to download links associated with distributions.
These will be either of the form
http://cpan.uwinnipeg.ca/cpan_install?dist=pack-0.1.tar.gz;cpanid=ABC,
which can be used to launch either CPAN or CPANPLUS to install
the pack-0.1.tar.gz distribution beneath
A/AB/ABC/ of the authors/id/ area of
CPAN, or
http://cpan.uwinnipeg.ca/cpan_install?module=ABC::DEF,
which will use either CPAN or CPANPLUS to install the ABC::DEF
module.
- within the Win32 repositories section providing a particular ppm package.
These will be of the form
http://cpan.uwinnipeg.ca/ppm_install?dist=pack;rep=alias,
which can be used to launch the ppm utility to install the
pack distribution available within the alias
repository. The repository aliases used are
top
The installation of CPAN and ppm packages is done by
downloading and executing specific
PAR
archives, as detailed in the PNLP file. The archives
consist of:
- for the installation of CPAN modules, a
main script and a
helper module to
invoke CPAN or CPANPLUS to install the distribution
specified in the query string passed to
http://cpan.uwinnipeg.ca/cpan_install
- for the installation of Win32 ppm packages, a
main script and a
helper module to
invoke the ppm utility to install the package
specified in the query string passed to
http://cpan.uwinnipeg.ca/ppm_install
These archives are downloaded, and subsequently cached,
in a directory specified by the
PAR_TEMP environment variable, if set, or otherwise
by the tmpdir method of the File::Spec
module.
Of course, one must be extremely careful in running
programs obtained from an external source, not just
in trusting that source, but also to guard against
man-in-the-middle attacks. There are
two checks present here that help in this context.
- the PAR archives on the server have an associated MD5 checksum
file present; this will be checked against the MD5 checksum of the
downloaded archive. As well as a mild check on the integrity
of the download, this is also used as a cache control, in that
if a cached PAR archive has an MD5 checksum that
matches that of the remote archive, the cached copy will
be used.
- unless specifically disabled by the server (in which case
the user will be warned), PAR archives
by default are digitally signed using
Module-Signature, and this signature will be verified
before the PAR files are executed. Note that this check is
not performed on cached files that have been verified as being current.
As well, the user must confirm that she/he does wish to run
the specified PAR-based application before that application
is executed.
There are also some checks done on the arguments passed to
the main scripts:
- for the installation of CPAN modules, where the query
string either has the form
dist=pack-0.1.tar.gz;cpanid=ABC,
for which the CPAN author id cpanid must match the regular expression
m{^[-A-Z0-9]+$} and the distribution name
dist must match
m{^[+\-_\.\@0-9\w]+(\.tar\.gz|\.tgz|\.zip)$}, or
module=ABC::DEF, for which the module name
module must match
m{^[A-Za-z0-9\:]+$},
- for the installation of Win32 ppm packages, where the query
string has the form
dist=pack;rep=alias, the
repository alias alias must match
m{^[a-zA-Z0-9]+$} and the ppm distribution name
dist must match
m{^[+\-_\.\@0-9\w]+$}
top
Please contact Randy Kobes
for any problems, questions, or comments about any aspect of this
feature.