in reply to Re: Re: Perl Monks += TMTOWTDI
in thread Perl Monks += TMTOWTDI

The idea for some kind of quality contol of CPAN modules is actually quite old, but I've never done anything with it. Many people have had ideas, but it all turned out to be harder than you would think.

But this has nothing to do with signing modules. Or CPAN mirrors following some practise. Quality control is saying "this module rocks" and "that module sucks", but then in a polite and useful way.

Signing modules have all to do with authentication. There's no real signing going on right now, but for all modules, a MD5 hash is stored in the CHECKSUMS file in the authors CPAN directory. You could always check the MD5 hash from a module you downloaded against the MD5 hash stored on a CPAN mirror you trust.

And of course, module authors could always leave a PGP signature of the files containing code in their module distribution.

Abigail

Replies are listed 'Best First'.
Re: Re: Perl Monks += TMTOWTDI
by Anonymous Monk on Apr 16, 2003 at 11:56 UTC
    But this has nothing to do with signing modules. Or CPAN mirrors following some practise. Quality control is saying "this module rocks" and "that module sucks", but then in a polite and useful way.

    That doesn't deal with the problem of authors uploading Foo::Bar version 1.0, getting great reviews, then creating many very subtle bugs in version 2.0. It also doesn't deal with mirrors that distribute sabotaged modules (matching the modules with a trusted site's MD5's does address it though).

    I'm probably overanalyzing this though. I think a large part of CPAN's success has been its simplicity and open structure. Thanks for the replies :).

[reply]

In Section Meditations