Moin, On Wednesday 05 July 2006 17:56, David Golden wrote: > Randy J. Ray wrote: > > I'm a fairly-recent addition to the list. I've read a good part of > > the > > Welcome! > > > Secondly, having recently added digital-signing to a few of my > > modules, perhaps the presence of a SIGNATURE file might be a Kwalitee > > marker (with the caveat that it should be an actual > > Module::Signature-generate artifact, not just a zero-length file > > named "SIGNATURE"). I found the steps needed to add this to be pretty > > simple, not much more work than adding POD and POD-coverage tests to > > those same modules. > > Module::Signature has caused a problem at various points for people who > have it installed, but not configured properly. Given that, some > developers have started removing SIGNATURE to improve compatibility.
Define "some" please :) And, "improve compatibility" - with broken systems? OMG. :) You mean we now don't sign packages anymore just because someone isn't able to check the signature? The right way is to tell the user to fix their borken system, not to remove features. > Given that Mod::Sig checks are just that the signature is valid, not > that the signature matches a known/registered developer, the security > aspect is already minimal. This is a security bug and should then be fixed ASAP. But AFAIK, PAUSE checks the key upon upload, and I am *think* it would also check that the maintainer who uploads the package is the one who signed it. Anything else would be a stupid lapse and I can't imagine Andreas would be that stupid :) Best wishes, Tels -- Signed on Wed Jul 5 19:53:45 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email. "Most of the screen on a blog is blank for an imaginary populace of readers still using 640x480 resolution. I didn't buy a 19" monitor to have 50% of its screen realestate pissed away on firing white pixels, you assholes." -- maddox from xmission
pgp9SYA1FRsXE.pgp
Description: PGP signature