Thanks for the idea. Shipping a root key with Perl and signing (perhaps via a few intermediaries) the developers' keys with it to let them sign their distributions would solve part of the Alice problem by providing a way for the user to verify that the package has been signed with a key known to the owner of the key (CPAN) which was signed by the root (Perl) key. I agree that having this system is better than not having a way to validate a developer's key and that this should protect from the evil mirror problem if the existing Perl installation is clean (and that latter assumption we just have to trust, see "Reflections on trusting trust" by Ken Thompson).
The current situation can be somewhat circumvented by only downloading packages from https://cpan.org/authors/id/... (effectively limiting oneself to a single mirror, which doesn't quite scale, and having to trust the HTTPS PKI, which is arguably not as good as a dedicated Perl PKI).
It should also be noted that typical supply chain attacks on modules involve typosquatting and taking over unmaintained modules, which, aside the author's public key visibly changing, wouldn't raise any louder alerts: the attacker would look the same as any other CPAN citizen, but the signed code supplied by them would also be malicious. But that's a social problem, likely impossible to solve by purely technical means.
In reply to Re^3: cpan/cpanm integrity and authenticy checks concerns
by Anonymous Monk
in thread cpan/cpanm integrity and authenticy checks concerns
by hrcerq
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |