Control: tag -1 upstream On Sat, Oct 26, 2019 at 03:23:43PM +0200, Vincent Lefevre wrote: > On 2019-10-26 15:45:28 +0300, Niko Tyni wrote: > > I understand the CHECKSUMS files are PGP signed by the CPAN archive. > > I was referring to verifying these signatures. Whether the download > > is https or not is not relevant in for that verification. > > This is not documented and the signature does not appear to be > checked. Or do you have some proof?
I did not claim CPAN.pm checks these signatures. To the contrary, I specifically said it looks to me like cpanminus does check them (at least with --verify) but CPAN.pm doesn't. I'm not sure what proof you expect from me. I only tried to express that checking those signatures would be my preferred way of fixing this bug. I learned of their existence from the perlmonks post that I quoted earlier in this bug. > Given that, https at least allows one to avoid MITM attacks. I certainly agree that using https for downloading would be good. Perhaps that alone would even be a sufficient fix for this issue, though I think checking the signatures would be even better (and obviously the options are not mutually exclusive.) As I already noted in this bug, https CPAN mirrors don't seem to exist, or at least they are not documented. Perhaps that's just an oversight. Anyway, as has surely become clear by now I'm not particularly familiar with CPAN. I don't feel my input is useful here so I will stop now. Thank you for bringing this upstream. I'll be happy to see this fixed there and will consider backporting fixes once they exist. -- Niko Tyni nt...@debian.org