We should protect perl users out-of-the box by checking their module signatures unless they've told us otherwise.
When check_sigs was set to 0 for first time users 13 years ago, there was a concern that signature checking apparatus wasn't sufficiently mature. With more than a decade behind us, perhaps we could consider enabling this now as a sensible default.
If Module::Signature isn't installed, users are still able to install modules, just with a reminder to please install Module::Signature if they'd like to verify modules, so this change shouldn't exclude or break anyone.
We should protect perl users out-of-the box by checking their module signatures unless they've told us otherwise.
When check_sigs was set to 0 for first time users 13 years ago, there was a concern that signature checking apparatus wasn't sufficiently mature. With more than a decade behind us, perhaps we could consider enabling this now as a sensible default.
If Module::Signature isn't installed, users are still able to install modules, just with a reminder to please install Module::Signature if they'd like to verify modules, so this change shouldn't exclude or break anyone.