Moin,
On Thursday 06 July 2006 11:40, David Cantrell wrote:
> Tels wrote:
> > And, "improve compatibility" - with broken systems? OMG. :)
>
> Yeah, you know, like when you comment this out before release :-)
>
> # die("Sorry, you must have a computer to run this software\n")
> # if($^O =~ /win32/i);
>
> >> Given that Mod::Sig checks are just that the signature is valid, not
> >> that the signature matches a known/registered developer, the
> >> security aspect is already minimal.
> >
> > This is a security bug and should then be fixed ASAP.
>
> Given that you have to be logged in to the PAUSE and have permission to
> upload stuff for that module, then I don't think that signatures matter
> in the slightest. It doesn't give you any kind of trust metric (like,
> say, that the author is a nice guy and his Makefile.PL won't delete
> your home directory) that you don't already have from the fact that my
> module had to have been uploaded by me.The signature makes sure that: * the mirror from where you download the file distrubutes you still the same file that was uploaded to CPAN. * it was signed by someone who knows/has the private key and nobody else These are two very important points, and none should be thrown away just because somebody doesn't understand how that works or some end-users aren't able to configure their systems. Best wishes, Tels -- Signed on Fri Jul 7 15:44:26 2006 with key 0x93B84C15. Visit my photo gallery at http://bloodgate.com/photos/ PGP key on http://bloodgate.com/tels.asc or per email. "Five exclamation marks, the sure sign of an insane mind." -- Terry Pratchett
pgpswmJNvnJ1u.pgp
Description: PGP signature
