Bug#942851: perl-modules-5.30: CPAN.pm is insecure by default, no warnings
Vincent Lefevre
vincent at vinc17.net
Sat Oct 26 14:23:43 BST 2019
On 2019-10-26 15:45:28 +0300, Niko Tyni wrote:
> I understand the CHECKSUMS files are PGP signed by the CPAN archive.
> I was referring to verifying these signatures. Whether the download
> is https or not is not relevant in for that verification.
This is not documented and the signature does not appear to be
checked. Or do you have some proof?
Given that, https at least allows one to avoid MITM attacks.
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the Perl-maintainers
mailing list