not all the modules had the signatures;
Correct, including mine.
They ought to be evicted,
What? Because they where uploaded before CPAN supported the current security circus? As you have seen yourself, many of those old modules are still in use.
or updated/replaced with a version with signatures (along with updated PAUSE keys).
By whom? The original author who may or may not be willing to put in the work? The people who run CPAN who can't create signatures in the name of the author? You, by taking over hundreds of modules?
packages are downloaded over "https"/secure connection
My cpan client config says https://cpan.org/
That being said, a CPAN module signature doesn't guarantee it's safe to use. If the author has evil intend, generating a fake online identity and a cryptographic signature is not a roadblock.
A lot of that security theater is, in my opinion, required by lawyers and consultants: "If you use that module and we get a security breach, we can sue the author". Newsflash, that doesn't work in OpenSource. Even if you can find the author, the license probably says something about "package is provided 'as is' ... no warranty regarding fitness for a particular purpose".
So, in conclusion: Without doing an in-depth security review of every downloaded file, you don't know if it's secure. (And even with a review, you only have some degree of certainty). And you basically have no recourse if something goes wrong.
Using commercial software doesn't help, either. Those Business-to-Business contracts basically isolate the seller from most legal and financial responsibility. But companies like Microsoft are known to always be on the customer side and provide the best, securest software possible...
In reply to Re^2: Building Perl and CPAN Modules Securely from Source
by cavac
in thread Building Perl and CPAN Modules Securely from Source
by eyepopslikeamosquito
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |