Moin, On Thursday 06 July 2006 11:40, David Cantrell wrote: > Tels wrote: > > And, "improve compatibility" - with broken systems? OMG. :) > > Yeah, you know, like when you comment this out before release :-) > > # die("Sorry, you must have a computer to run this software\n") > # if($^O =~ /win32/i); > > >> Given that Mod::Sig checks are just that the signature is valid, not > >> that the signature matches a known/registered developer, the > >> security aspect is already minimal. > > > > This is a security bug and should then be fixed ASAP. > > Given that you have to be logged in to the PAUSE and have permission to > upload stuff for that module, then I don't think that signatures matter > in the slightest. It doesn't give you any kind of trust metric (like, > say, that the author is a nice guy and his Makefile.PL won't delete > your home directory) that you don't already have from the fact that my > module had to have been uploaded by me.
The signature makes sure that: * the mirror from where you download the file distrubutes you still the same file that was uploaded to CPAN. * it was signed by someone who knows/has the private key and nobody else These are two very important points, and none should be thrown away just because somebody doesn't understand how that works or some end-users aren't able to configure their systems. Best wishes, Tels -- Signed on Fri Jul 7 15:44:26 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email. "Five exclamation marks, the sure sign of an insane mind." -- Terry Pratchett
pgpswmJNvnJ1u.pgp
Description: PGP signature