Randy Kobes schrieb:
A couple of mild checks I use for PAR::WebStart are - digitally sign the par files with Module::Signature, and verify the signature before running things; - place an md5 checksum file on the server, and check that against the locally downloaded copy.
While these are good ideas and easily implemented server-side, I'd rather not depend on Module::Signature on the client side. I'm trying to stay very low on dependencies since the whole point is to enable it to fetch dependencies from the repository. Optionally verifying .par's, however, would be feasible. Question remains whether *optional* verifying buys *any* security.
Perhaps I should spend some time to "fix" Module::Signature's problems and while at that, try to relax a couple of its dependencies. (Math::Pari? That's a joke!) It's just that I'm not exactly an expert in these issues.
Steffen
