On Thu, Oct 24, 2019 at 11:00:28AM +0200, Vincent Lefevre wrote: > On 2019-10-23 22:20:04 +0300, Niko Tyni wrote: > > So as I understand this, verifying CHECKSUMS would be the thing to do, > > and setting 'check_sigs' wouldn't really help (only deployed partially > > and no web of trust to the module authors). > > Indeed, and even if check_sigs is set, it is ignored if the module is > not signed (instead of getting a failure). But CHECKSUMS needs to be > downloaded from a reliable website (I assume that www.cpan.org is) and > in a secure way (https, not http).
I understand the CHECKSUMS files are PGP signed by the CPAN archive. I was referring to verifying these signatures. Whether the download is https or not is not relevant in for that verification. -- Niko Tyni nt...@debian.org