Bug#1022200: CPAN should be more helpful on missing key when check_sigs is enabled (Was: Re: cpan: cannot check signatures)

Vincent Lefevre vincent at vinc17.net
Sat Oct 22 14:59:43 BST 2022 

Hi,

On 2022-10-22 14:31:24 +0200, Clément Hermann wrote:
> I could reproduce your issue if I enable check_sigs option in CPAN
> (which is _not_ the default).

OK, I forgot about that (though I think that it should be the default
for security reasons, and IIRC, this was recommended for this reason
in some other thread).

> Thing is, it's not a bug, really. Or not quite. It's a result of the
> correction of a bug in CPAN < 2.29 who would succeed silently if there is no
> signature/no way to check the key.
> 
> You can find some context in
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015985 and
> http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html

I didn't know that. In particular, I had not got any announce,
probably because it is still not fixed in Debian/stable. And
AFAIK, http is also still used by default in Debian/stable, so
that this makes the security even worse.

> I do agree that it's bad UX that CPAN isn't more helpful when the key isn't
> available, e.g. asking for it or suggesting a way to get it, but the fact
> that it fails if the key isn't available while the Checksums are signed is
> the right behavior, and your workaround (getting the key) is the right
> solution.
> 
> CPAN doesn't have a way to centralize key themself, and probably shouldn't,
> either. Not sure how such error can be avoided completely (the Debian method
> of having a preconfigured keyring won't do for CPAN IMO), but it should at
> least suggest a solution.

I agree. There should be at least sufficient documentation when the
error occurs. If Debian could automatically provide the key and use
it, this would be better, IMHO: less work for the user, and this
would ensure (if correctly done) that the key is correct and still
valid.

-- 
Vincent Lefèvre <vincent at vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

More information about the Perl-maintainers mailing list