Open dweekly opened 4 years ago
As noted in your Google Doc, Module::Signature doesn't offer any security. It checks that a signature file matches some text in another file, and neither file is secured. Checking two unsecured values against each other gives people the false hope that they are somehow protected. We should not be part of that charade.
There are other ways that we might handle this, some of which you noted in the link. However, this isn't one of the things we should pursue.
I agree that Module::Signature should not be used, at least not non-interactively, for the following reasons:
Some work being done:
Module::Signature is critical for validating signatures for downloaded CPAN modules; lacking enforced signatures or HTTPS support in CPAN, Perl installs don't know the provenance of the source codes they are downloading and installing on their systems. This is a small patch to "promote" Module::Signature from the XXL bundle to the regular one as step towards checking signatures systematically.
This PR is part of a larger effort to "Secure Perl" - comments welcome at https://docs.google.com/document/d/1DRkiCJhJu4RDI0u_JppBpFa0djouskxEyNHax912U_w/edit#