I really like the idea of having a built-in method of verifying
the integrity of a module. This could "easily" be done by
using a PGP/GPG-style mechanism or simply a built-in
method of checking an appended IDEA (crypto-)hash of the source
code and/or any XS used by the module.
A really simple way would be to extend the __DATA__
mechanism to also include a __SIGNATURE__
section, which contains an (IDEA)(crypto-)hash of the source
code, which can then be checked optionally by Perl
against the code and (if available) against a local list of
"trusted" keys. Of course, if that list of trusted keys is compromised,
all security is down, but if that list can be compromised,
bets are that everything else already has been as well.
So, as I see it, a two-fold protection mechanism would
need to be in place. One, a public/private key system
with CPAN as a central repository for the public
keys, so that everybody can check the authenticity of
their modules, and a second, global public/private key, owned
by CPAN, to check the integrity of every module
locally at any time.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|