Indeed, the keyserver has a very important role here (at least while OpenPGP is the chosen approach). I actually believe this part is all right as long as Internet access is avaiable.

But my point is that security is not enforced in any way. Seems almost like it's an afterthought.

And actually, I think there might be some workarounds (some with OpenPGP, some with other approaches):

• With OpenPGP approach, maybe some keys from known developers could be shipped together with perl (or maybe in separate packages depending on the operating system). These keys take some time to expire, and could be used to check for new other keys, in a Web of Trust;
• Outside of OpenPGP approach, however, there are options too. For instance, I like OpenBSD's approach, with signify . Every OpenBSD release contains the key necessary to verify the next release, so indirectly every new key is signed by its predecessor.
  
  Maybe this could be applied to every Perl distribution, in the sense that every distribution comes with the necessary key for the next version. That way, at least every update will be safe. It's worth noting these keys are relatively small (thanks to ED25519 algorithm), so shipping them is cheap.
  
  That way, only the first install would be unsafe, and a compromised key could be easily detected during updates.

I know crypto solutions are not trivial, but I believe there are options. I completely agree with the idea of giving choice to the users, but I think security should be opt-out, not opt-in.

I agree. This seems to be a hard problem, and broader than Perl's CPAN. PyPI, RubyGems, and Npm, for example, all face similar problems:

• Malicious modules made it into official PyPI repository
• Backdoored Ruby gems stole credentials, injected cryptomining code
• NPM blog on malicious modules
• Typosquatting package managers blog
• OT. Malicious software in PyPI by parv (2021) (Update)
• Malicious module on CPAN by choroba (2020) (Update)
• sometimes no Perl news is good news by zentara (2021) (Update)
• CPAN clients exposed to sig-related vulnerabilities by hippo (2021) (Update)
• Signature Verification Vulnerabilities in CPAN.pm, cpanminus and CPAN::Checksums - Hackeriet blog (Update)
• Addressing CPAN vulnerabilities related to checksums - blog by Neil Bowers (Update)
• Re^7: Meaning of XS object version (Package Manager Security References - example building Perl securely from source) by me (2023) (Update)

It might be interesting to compare (and learn from) the security approaches taken by each of these similar mature open source repositories.

Update (2023)

> I'm not (yet) making heavy use of cpan or cpanm tools, and I'm still getting used to them

In case it helps, a detailed example of installing modules from CPAN securely on Linux, using cpan and cpanm, can now be found here.

Thanks to your question, I now keep a long list of Security References (don't want to disappoint the LanX ;-):

• Re: Security techniques every programmer should know (Security References)

Thanks for the idea. Shipping a root key with Perl and signing (perhaps via a few intermediaries) the developers' keys with it to let them sign their distributions would solve part of the Alice problem by providing a way for the user to verify that the package has been signed with a key known to the owner of the key (CPAN) which was signed by the root (Perl) key. I agree that having this system is better than not having a way to validate a developer's key and that this should protect from the evil mirror problem if the existing Perl installation is clean (and that latter assumption we just have to trust, see "Reflections on trusting trust" by Ken Thompson).

The current situation can be somewhat circumvented by only downloading packages from https://cpan.org/authors/id/... (effectively limiting oneself to a single mirror, which doesn't quite scale, and having to trust the HTTPS PKI, which is arguably not as good as a dedicated Perl PKI).

It should also be noted that typical supply chain attacks on modules involve typosquatting and taking over unmaintained modules, which, aside the author's public key visibly changing, wouldn't raise any louder alerts: the attacker would look the same as any other CPAN citizen, but the signed code supplied by them would also be malicious. But that's a social problem, likely impossible to solve by purely technical means.

But then, how would you know that the "shipped root key" is authentic?