The Google change was the impetus to get around to it. Clients should use TLS to request content. It limits the trust for downloading CPAN content roughly to:
- The author - PAUSE system maintainers - perl.org infrastructure maintainers - Fastly - Global CA infrastructure Without TLS you basically trust anyone with any sort of access to your internet connection to not muck with the code you receive. Obviously the real fix here is that clients need to request via TLS (since I doubt any clients other than regular browsers support HSTS). Ask
