A though for 5.9: secure CPAN
Robin Berjon
I may have missed it due to a few busy days, but I think that the suggestion
Leon made at http://use.perl.org/~acme/journal/6887 was an interesting one.
This doesn't depend solely on Perl 5.9 (but also on PAUSE) but I think it may
be worth discussing given that MakeMaker could surely help and that there is
talk about CPANPLUS integration into the core.
--
Robin Berjon <ro...@knowscape.com>
Prediction is very difficult, especially of the future.
-- Niels Bohr
Andreas J. Koenig
> Hi,
> I may have missed it due to a few busy days, but I think that the suggestion
> Leon made at http://use.perl.org/~acme/journal/6887 was an interesting one.
> This doesn't depend solely on Perl 5.9 (but also on PAUSE) but I think it may
> be worth discussing given that MakeMaker could surely help and that there is
> talk about CPANPLUS integration into the core.
The cited http://www.cryptnet.net/fdp/crypto/strong_distro.html is a
very valuable piece of advice. I dislike chapter 2.4. ("Conventions").
I consider detached signatures unnecessary impractical.
My stance on this is:
- make security optional
- integrate the security into the distribution
Both can and should be done without affecting PAUSE.
- The key is in MakeMaker/Module::Build.
The signature should be part of the distribution file and instead of
the .tar.gz file, a MANIFEST.digest or equivalent needs to be signed.
The perl equivalent of 'rpm --sign' would do the following:
- untar the package
- compute a MANIFEST.digest (can be YAML format containing MD5 digests
for all contained files except for MANIFEST.digest itself, can
alternatively be XML format containing SHA1 digests)
- sign the MANIFEST.digest
- tar and compress or zip it (all of .tar.gz, .zip, .tar.bz2, etc.
would have identical content).
You do not need to convince any developer or user to produce/use that
MANIFEST.digest file. We do not require people to sign their work. We
need to make it convenient for both sides to add security.
--
andreas