in reply to Re^2: Building Perl and CPAN Modules Securely from Source
in thread Building Perl and CPAN Modules Securely from Source

(Manually quoting & attributing -- more than a level as a direct reply to OP sans explicit attribution -- is excruciating. Feel free to re-edit the quote-in-pre as one sees fit.) 
cavac wrote ...
> parv wrote ...
> > or updated/replaced with a version with signatures (along
> > with updated PAUSE keys).

> By whom? The original author who may or may not be willing
> to put in the work? The people who run CPAN who can't create
> signatures in the name of the author? You, by taking over
> hundreds of modules?

Could CPAN/PAUSE maintainers not inject|update the signatures unilaterally with only PAUSE keys (in the modules whose authors "may not be willing to put in the work")? That would indicate that at least they think the files are genuine.

If I had more skin in CPAN, then would have been more than willing to update all the modules myself, yes "by taking over hundreds of modules" if that was what would have been required to do updates.

  • Comment on Re^3: Building Perl and CPAN Modules Securely from Source

Replies are listed 'Best First'.
Re^4: Building Perl and CPAN Modules Securely from Source
by etj (Priest) on Sep 06, 2024 at 12:59 UTC
    Could CPAN/PAUSE maintainers not inject|update the signatures unilaterally with only PAUSE keys
    I think this is a good idea all by itself, separate from whether the distro author "signs" it: it would provide a validation that the archive file being downloaded was exactly the same as the one originally placed on PAUSE. And it can be implemented right now, retroactively.
[reply]

In Section Seekers of Perl Wisdom