cpanfile.snapshot should contain SHA256 checksum

briandfoy / ncarton

Perl's carton, extended

https://www.metacpan.org/pod/NCarton

Other

2 stars 0 forks source link

cpanfile.snapshot should contain SHA256 checksum #3

Open akarelas opened 1 year ago

akarelas commented 1 year ago

...so the person running carton install --deployment can trust that the distribution has not been tampered with.

briandfoy commented 1 year ago

One of my goals at the moment is that cpanfile.snapshot looks like that for real carton.

But note that adding a SHA does not add anything to security. It only means that a digest in a file that is insecure matches a digest in a some other file that is insecure. You don't know that both are genuine.

akarelas commented 1 year ago

Adding SHA ensures that if you install a software years from now, you can be sure that the CPAN or your DarkPAN dep hasn't been tampered with during these years (DarkPAN security maybe is an issue if disgruntled employees try to sabotage their employer). So that's something at least. Also maybe metacpan will be encouraged to include an immutable SHA with all their releases, if you add it to (n)carton.

briandfoy commented 1 year ago

I'm not strictly opposed to this idea, but I also don't have time to work on it. If someone wants to talk about , open a page in the wiki to sketch out how it would work.