comment on

Indeed, the keyserver has a very important role here (at least while OpenPGP is the chosen approach). I actually believe this part is all right as long as Internet access is avaiable.

But my point is that security is not enforced in any way. Seems almost like it's an afterthought.

And actually, I think there might be some workarounds (some with OpenPGP, some with other approaches):

With OpenPGP approach, maybe some keys from known developers could be shipped together with perl (or maybe in separate packages depending on the operating system). These keys take some time to expire, and could be used to check for new other keys, in a Web of Trust;
Outside of OpenPGP approach, however, there are options too. For instance, I like OpenBSD's approach, with signify . Every OpenBSD release contains the key necessary to verify the next release, so indirectly every new key is signed by its predecessor.

Maybe this could be applied to every Perl distribution, in the sense that every distribution comes with the necessary key for the next version. That way, at least every update will be safe. It's worth noting these keys are relatively small (thanks to ED25519 algorithm), so shipping them is cheap.

That way, only the first install would be unsafe, and a compromised key could be easily detected during updates.

I know crypto solutions are not trivial, but I believe there are options. I completely agree with the idea of giving choice to the users, but I think security should be opt-out, not opt-in.

return on_success() or die;

In reply to Re^2: cpan/cpanm integrity and authenticy checks concerns by hrcerq
in thread cpan/cpanm integrity and authenticy checks concerns by hrcerq

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.