Hi, I'm the maintainer of IO::Socket::SSL and I've just found your serious problem report about IO::Socket::SSL doing network connections to external sites during testing.
IO::Socket::SSL will ask during the build, if the tests should be run and you can deny running external tests. But, the default is true for the following reason: To make it secure by default an SSL library must have a usable set of trusted CAs. IO::Socket::SSL tries to use the system CA store (i.e. /etc/ssl/certs in Debian) to integrate with the rest of the system. Of course it needs to be verified, that the default CA is usable for common tasks, that is it must provide the trusted CA for common targets. The best way is to actually try to connect against these targets and make sure the connection can be verified. The tests will detected SSL intercepting proxies or other problems and disable further tests in these cases. I can understand that you are not comfortable to let arbitrary tests connect to external sites in all situations. But, in my opinion, anybody who does not like this should run any builds and tests within restricted environments without or with only limited network access anyway. Apart from that I'm happy to check any kind of environment variables which would indicate that the user is not willing to run external tests. Just let me know the details. Regards, Steffen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
