not all the modules had the signatures;

Correct, including mine.

They ought to be evicted,

What? Because they where uploaded before CPAN supported the current security circus? As you have seen yourself, many of those old modules are still in use.

or updated/replaced with a version with signatures (along with updated PAUSE keys).

By whom? The original author who may or may not be willing to put in the work? The people who run CPAN who can't create signatures in the name of the author? You, by taking over hundreds of modules?

packages are downloaded over "https"/secure connection

My cpan client config says https://cpan.org/

That being said, a CPAN module signature doesn't guarantee it's safe to use. If the author has evil intend, generating a fake online identity and a cryptographic signature is not a roadblock.

A lot of that security theater is, in my opinion, required by lawyers and consultants: "If you use that module and we get a security breach, we can sue the author". Newsflash, that doesn't work in OpenSource. Even if you can find the author, the license probably says something about "package is provided 'as is' ... no warranty regarding fitness for a particular purpose".

So, in conclusion: Without doing an in-depth security review of every downloaded file, you don't know if it's secure. (And even with a review, you only have some degree of certainty). And you basically have no recourse if something goes wrong.

Using commercial software doesn't help, either. Those Business-to-Business contracts basically isolate the seller from most legal and financial responsibility. But companies like Microsoft are known to always be on the customer side and provide the best, securest software possible...

(Manually quoting & attributing -- more than a level as a direct reply to OP sans explicit attribution -- is excruciating. Feel free to re-edit the quote-in-pre as one sees fit.)

cavac wrote ...
> parv wrote ...
> > or updated/replaced with a version with signatures (along
> > with updated PAUSE keys).

> By whom? The original author who may or may not be willing
> to put in the work? The people who run CPAN who can't create
> signatures in the name of the author? You, by taking over
> hundreds of modules?

Could CPAN/PAUSE maintainers not inject|update the signatures unilaterally with only PAUSE keys (in the modules whose authors "may not be willing to put in the work")? That would indicate that at least they think the files are genuine.

If I had more skin in CPAN, then would have been more than willing to update all the modules myself, yes "by taking over hundreds of modules" if that was what would have been required to do updates.

Could CPAN/PAUSE maintainers not inject|update the signatures unilaterally with only PAUSE keys

I think this is a good idea all by itself, separate from whether the distro author "signs" it: it would provide a validation that the archive file being downloaded was exactly the same as the one originally placed on PAUSE. And it can be implemented right now, retroactively.

By early 2024, "http" was the default in cpanminus; work on making "https" the default is still ongoing: cpanminus: make cpanm secure by default #674.

Oh, also found CVE-2020-16154 remove the functionality to verify CHECKSUMS signature #638.

One day ... :-/

By early 2024, "http" was the default in cpanminus; work on making "https" the default is still ongoing

Good point, thanks for mentioning it. When I was writing this node back in 2023 I was kindly advised by hippo to invoke the cpanm command like this:

$ cpanm --from https://www.cpan.org/ ...

Checking my original inst-cpanminus.tmp log file from that node, I was relieved to see that this cpan command:

$ cpan App::cpanminus 2>&1 | tee inst-cpanminus.tmp

always used https by default. So it seems this is one thing the cpan command does better than cpanm.

👁️🍾👍🦟