I've been playing around a lot with NetBSD lately, which has gotten me used to compiling *everything* (including Perl!) from source. I think it's great fun; I don't know what that says about my personality—you can draw your own conclusions. :)
I got stung by some of the VIA southbridge data corruption bugs last year, and I also worry about trojaned source repositories since I do this kind of thing for fun and profit. So when I download a source tarball, I like to check it with GnuPG, or at least have some checksums around.
Well, I downloaded perl 5.8.0 from CPAN this morning, and then I went looking for signatures/checksums/etc. I looked around pretty hard (on google—even got to use their nifty Advanced Search features—and with Super Search) for anything mentioning perl source distributions and checksums, PGP signatures, etc. together. Nothing. (Actually I got a page containing a quote from Larry Wall, and a different funny quote about digital signatures, which made me smile, but didn't help otherwise.) :)
So what I was wondering is, why can't I find anything? Here's what I've come up with so far:
- Checksums/digital signatures exist, but I don't know where to look (highly likely).
- CPAN doesn't have enough computing power/disk I/O bandwidth to sign everything that gets uploaded to them (likely).
- The Powers That Be are against checksums or digital signatures for philosophical reasons (???).
- Nobody who compiles Perl from source cares if their machine gets trojaned, or else they all have a magical Larry connection so they "just know" they have the right file (highly unlikely).
- Nobody ever brought this up before (highly unlikely).
- Something else I didn't think of.
So what's the deal? Why can't I find any digital signatures or checksums for Perl?
NOTES:
- I realize that (last time I checked anyway) the CPAN module doesn't bother doing checksums/digital signatures/etc. either. For some irrational reason this doesn't bother me as much. It would be *really* annoying to have to install gpg, sha1sum, etc. just to quickly install a few Perl modules.
- I thought of just downloading the source on Debian and checking the sigs there, then moving the tarballs over to NetBSD manually. But that doesn't solve the philosophical issue—how do I know *they* didn't download a trojaned copy of perl? Besides, I wanted 5.8.0, but testing is on 5.6.1, and I'm too lazy to go look in unstable to see if they've uploaded 5.8.0 yet. :)
- I noticed this last time I compiled Perl on NetBSD too, but that was many months ago late at night, and without caffeine. :)
Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
Read Where should I post X? if you're not absolutely sure you're posting in the right place.
Please read these before you post! —
Posts may use any of the Perl Monks Approved HTML tags:
- a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
| |
For: |
|
Use: |
| & | | & |
| < | | < |
| > | | > |
| [ | | [ |
| ] | | ] |
Link using PerlMonks shortcuts! What shortcuts can I use for linking?
See Writeup Formatting Tips and other pages linked from there for more info.