But this has nothing to do with signing modules. Or CPAN mirrors following some practise. Quality control is saying "this module rocks" and "that module sucks", but then in a polite and useful way.

That doesn't deal with the problem of authors uploading Foo::Bar version 1.0, getting great reviews, then creating many very subtle bugs in version 2.0. It also doesn't deal with mirrors that distribute sabotaged modules (matching the modules with a trusted site's MD5's does address it though).

I'm probably overanalyzing this though. I think a large part of CPAN's success has been its simplicity and open structure. Thanks for the replies :).