Bug#1022200: CPAN should be more helpful on missing key when check_sigs is enabled (Was: Re: cpan: cannot check signatures)
Clément Hermann
nodens at debian.org
Sat Oct 22 13:33:10 BST 2022
Hi!
Thanks for your report.
I could reproduce your issue if I enable check_sigs option in CPAN
(which is _not_ the default).
Thing is, it's not a bug, really. Or not quite. It's a result of the
correction of a bug in CPAN < 2.29 who would succeed silently if there
is no signature/no way to check the key.
You can find some context in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015985 and
http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html
I do agree that it's bad UX that CPAN isn't more helpful when the key
isn't available, e.g. asking for it or suggesting a way to get it, but
the fact that it fails if the key isn't available while the Checksums
are signed is the right behavior, and your workaround (getting the key)
is the right solution.
CPAN doesn't have a way to centralize key themself, and probably
shouldn't, either. Not sure how such error can be avoided completely
(the Debian method of having a preconfigured keyring won't do for CPAN
IMO), but it should at least suggest a solution.
So setting the severity back to normal, but still leaving the bug open,
since it's confusing for the user, and it could be done better (upstream).
Cheers,
--
nodens
More information about the Perl-maintainers
mailing list