I guess this is a wrong solution for a correct problem. The solution I decided a while ago, includes signing the code I upload to CPAN with GPG, so that people can verify it. This still gives no assurance so as to the potentially malicious intent that a given author might have, but allows users to authenticate the code properly.

Best regards

-lem, but some call me fokat