On Wed, Aug 02, 2000 at 05:06:17PM +0200, Andreas J. Koenig wrote: > A signature by PAUSE is an interesting idea. But it would tell the > user something different than a signature by a person. While I imagine > that a sig by GBARR would mean something like: "I have written or at > least doublechecked the code in this package to be free from malicious > intent. This is not a warranty." (careful considerations about wording > pending). A signature of the PAUSE could only mean "These checksums > were valid at the time of the upload." Well at least the user knows that what they got is exactly what was uploaded. > >> But > >> they are in the PPD. Hmmm. I'd say, it should go away. The CPAN ID is > >> fine, it is associated with a record in a public database and the > >> record can be edited by the person. PAUSE could refuse an upload if > >> the ID in the OSD isn't the same as the person doing the upload or > >> some such. > > > Would you always want to force that. For example why would the perl distribution > > not be able to set the field to <[EMAIL PROTECTED]> ? > > Who has the private key of the perl5-porters? I believe, the signing > must remain a strictly personal testimony. We should be prepared to > let many people sign something, e.g. a release manager makes the > release and asks the pumpking to also sign. But a group as such can > only be presented by one signature for each member. The AUTHOR field is not related to the signature. Actually I would always consider LArry as the author of perl, so I would expectLarry to appear as the AUTHOR in the OSD, unless he said he wanted someother email address in there. Graham.