Well, based on the above, I'd say it depends. Do you trust that this is the correct PAUSE key? If not, don't sign it. If so, sign it. What may help is to look at the key and see who else has signed it. Of course, that depends on you trusting that those others really did sign it, and it wasn't merely signed by some guy pretending to by merlyn or TimToady or whatever.
Personally, without finding a method to validate the fingerprint against a site that I do trust, I wouldn't sign it. And that's partly because, let's be honest here, you're no worse off than you were before this whole signing thing started. You trusted that CPAN authors weren't trying to hose your system by faking some code that looks like it's doing something useful, but actually is opening a hole in your security. And, with signing, all that does is prove that the person holding the private key (whoever that is) actually wrote that hole in your security. It has not increased your security significantly. But it does prevent tampering - if you get a patched module, the signature won't match anymore, and you'll know it, whether you trust the signature or not. Well, as long as you continue to read the warnings/run the tests. And I doubt that PAUSE is signing the modules (other than CPAN) anyway, so you'd actually still get the unknown warnings from new modules.
In reply to Re^3: cpan upgrade - "key is not certified with a trusted signature." Concern?
by Tanktalus
in thread cpan upgrade - "key is not certified with a trusted signature." Concern?
by locked_user sundialsvc4
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |