syxzys has asked for the wisdom of the Perl Monks concerning the following question:

I've been playing around a lot with NetBSD lately, which has gotten me used to compiling *everything* (including Perl!) from source. I think it's great fun; I don't know what that says about my personality—you can draw your own conclusions. :)

I got stung by some of the VIA southbridge data corruption bugs last year, and I also worry about trojaned source repositories since I do this kind of thing for fun and profit. So when I download a source tarball, I like to check it with GnuPG, or at least have some checksums around.

Well, I downloaded perl 5.8.0 from CPAN this morning, and then I went looking for signatures/checksums/etc. I looked around pretty hard (on google—even got to use their nifty Advanced Search features—and with Super Search) for anything mentioning perl source distributions and checksums, PGP signatures, etc. together. Nothing. (Actually I got a page containing a quote from Larry Wall, and a different funny quote about digital signatures, which made me smile, but didn't help otherwise.) :)

So what I was wondering is, why can't I find anything? Here's what I've come up with so far:

So what's the deal? Why can't I find any digital signatures or checksums for Perl?

NOTES:

  1. I realize that (last time I checked anyway) the CPAN module doesn't bother doing checksums/digital signatures/etc. either. For some irrational reason this doesn't bother me as much. It would be *really* annoying to have to install gpg, sha1sum, etc. just to quickly install a few Perl modules.
  2. I thought of just downloading the source on Debian and checking the sigs there, then moving the tarballs over to NetBSD manually. But that doesn't solve the philosophical issue—how do I know *they* didn't download a trojaned copy of perl? Besides, I wanted 5.8.0, but testing is on 5.6.1, and I'm too lazy to go look in unstable to see if they've uploaded 5.8.0 yet. :)
  3. I noticed this last time I compiled Perl on NetBSD too, but that was many months ago late at night, and without caffeine. :)

Replies are listed 'Best First'.
Re: Digital signatures/checksums for Perl source tarballs
by valdez (Monsignor) on Nov 06, 2002 at 19:53 UTC

    Welcome syxzys!

    I made a little search for signature on CPAN and found two interesting modules: Module::Signature and Test::Signature.
    The first one can generate and validate signatures (a manifesto file with md5 sums); the second one is used to validate files during tests. Reading some documentation I discovered that authors of modules can provide signatures file, that will be shown as SIGNATURE link on the module 'homepage' on CPAN.

    CPANPLUS uses Module::Signature to check signatures available via CPAN. All of these modules have a SIGNATURE link, but not our beloved Perl :)

    Ciao, Valerio

    Update: some authors provide CHECKSUMS files in their directory on CPAN.

[reply]
Re: Digital signatures/checksums for Perl source tarballs
by Kanji (Parson) on Nov 06, 2002 at 20:46 UTC
[reply]
      Hey thanks - that's just the sort of thing I was looking for. You're right though—it isn't obvious. Knowing to look in the pumpking's checksum file is the key. :)
[reply]

Back to Seekers of Perl Wisdom