> It adds a dependency on a binary application (gpg) that users have to > install by hand, doesn't check for the presence of it properly, and if > you don't have it, installs an enormous chain of dependencies, with said > deps having some major issues of their own. > > It's become bad enough that Module::Signature is being pulled from > Bundle::CPAN and being disabled by default in CPAN.pm, until > Module::Signature gets a maintainer capable that can make it somewhat > saner.
I think the solution (to dependency hell) is to dictate that CPAN modules be signed with a standard algorithm. OpenPGP allows too many different algorithms, hence the 22 modules Crypt::OpenPGP is dependent on. The only strong reason to stick with OpenPGP is that it has the whole web-of-trust and keyserver infrastructure. If we can live without that, then I could write a small "cpansign" script that just uses Crypt::DSA to sign the distribution, and then have Module::Signature just verify that DSA signature. There's still a dependency issue, but 21 fewer of 'em. DSA can be made to be portable if it isn't already. (RSA is fine too, then I could sign my modules with my OpenPGP smartcard ;) If we adopted this scheme, maybe we could just have authors upload their keys to PAUSE (or some other "Trusted Source"), and have people that want to verify distributions pull the keys down from there. The disadvantage of this is that the PAUSE master could forge distributions, as could someone performing a MITM attack on your key download. However, this could all happen anyway. I have a few keys of CPAN authors in my keyring, but I've never verified the fingerprints in real life... so for all I know, someone could be tampering with my distributions as we speak. This message might not really be from Jon Rockway :) On a related note, I sent some patches in to the Crypt::OpenPGP author a while ago but never heard anything back. Is that module still being maintained? Regards, Jonathan Rockway
signature.asc
Description: OpenPGP digital signature