Re: Module Signatures [was Re: On Gaming CPANTS...]

[Tels]

Moin,

On Thursday 06 July 2006 03:22, Jonathan Rockway wrote:
  It adds a dependency on a binary application (gpg) that users have to
  install by hand, doesn't check for the presence of it properly, and
  if you don't have it, installs an enormous chain of dependencies,
  with said deps having some major issues of their own.
 
  It's become bad enough that Module::Signature is being pulled from
  Bundle::CPAN and being disabled by default in CPAN.pm, until
  Module::Signature gets a maintainer capable that can make it somewhat
  saner.

Er, you realize that you _dont_ have to check the signature if you system 
is so broken as not allowing it?

I really don't understand that argument anyhow:

Replace Module::Signature with RPM and read it again:

  It adds a dependency on a binary application (gpg) that users have to
  install by hand, doesn't check for the presence of it properly, and
  if you don't have it, installs an enormous chain of dependencies,
  with said deps having some major issues of their own.

I don't think anybody would suggest SuSE do no longer sign their RPM 
packages with their gpg key anymore... instead they make sure you have 
gpg installed and configured properly before doing the signature check.

If you insist on running a system w/o gpg, and you want to check the 
signature on a Perl package, you gotta go, configure your system and 
install some software for the purpose.

Next someone tells me I can't use XS because it makes the distribution 
depend on a compiler? :-)

Leaving of the signature of software distributions just because someone 
isn't able to configure their system is so... so I fail the words for it.

Best wishes,

tels

-- 
 Signed on Fri Jul  7 15:47:00 2006 with key 0x93B84C15.
 Visit my photo gallery at http://bloodgate.com/photos/
 PGP key on http://bloodgate.com/tels.asc or per email.

 The difference between pornography and erotica is lighting -- Gloria
 Leonard



pgptiZGndZIl9.pgp
Description: PGP signature

Re: Module Signatures [was Re: On Gaming CPANTS...]

[A. Pagaltzis]

* Jonathan Rockway [EMAIL PROTECTED] [2006-07-06 03:25]:
 I think the solution (to dependency hell) is to dictate that
 CPAN modules be signed with a standard algorithm. OpenPGP
 allows too many different algorithms, hence the 22 modules
 Crypt::OpenPGP is dependent on.  The only strong reason to
 stick with OpenPGP is that it has the whole web-of-trust and
 keyserver infrastructure.
 
 If we can live without that,

What’s the point?

If all that’s verified is that the distribution was signed with
the key uploaded to the same directory, then all you can have
confidence in is that distribution was uploaded by someone who
has permission to upload a key. That might be the author, or it
might be an impostor who got ahold of the author’s account
details and uploaded his own key.

But to upload a distribution you need the author’s account
details anyway! So the cryptosig doesn’t give you confidence in
any facts that you didn’t already have confidence in. In other
words, for the signatures to improve confidence, they have to
be generated from keys that either form of a web of trust in
which the downloader participates, or they have to be issued by a
certification authority that imposes additional background
verification before it will issue a key.

I don’t think running a cert auth is feasible for CPAN. So the
only worthwhile option is to participate in the PGP web of trust.
If you do away with that, you can just as well do away with
cryptosigs alltogether.

NB.: of course, Mod::Sig currently doesn’t check the
trustworthiness of a key, only whether a distribution is
signed with the uploaded key, so it’s pointless in precisely
the way outlined above. Until such time as trust checks are
implemented, there is no point to signing CPAN distros.

Regards,
-- 
Aristotle Pagaltzis // http://plasmasturm.org/