Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Niko Tyni
ntyni at debian.org
Sat Oct 26 13:45:28 BST 2019
On Thu, Oct 24, 2019 at 11:00:28AM +0200, Vincent Lefevre wrote:
> On 2019-10-23 22:20:04 +0300, Niko Tyni wrote:
> > So as I understand this, verifying CHECKSUMS would be the thing to do,
> > and setting 'check_sigs' wouldn't really help (only deployed partially
> > and no web of trust to the module authors).
>
> Indeed, and even if check_sigs is set, it is ignored if the module is
> not signed (instead of getting a failure). But CHECKSUMS needs to be
> downloaded from a reliable website (I assume that www.cpan.org is) and
> in a secure way (https, not http).
I understand the CHECKSUMS files are PGP signed by the CPAN archive.
I was referring to verifying these signatures. Whether the download
is https or not is not relevant in for that verification.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list