in reply to How to create/generate META.yml and SIGNATURE files for CPAN

For the signature tests, I am not convinced that it is useful for anything more than an MD5 signature would be. By the time the test runs, you're already running code that could have been tampered with. It's really only useful for checking for accidental errors in the files (i.e., transmission problems). MD5 already does that just fine (even taking into account the general cryptographic issues with MD5).

SIGNATURE itself is still useful since you could check the signature yourself without the use of a test. Better yet, it should be integrated into CPAN(PLUS).pm (I belive CPANPLUS.pm already does, or plans to, but I'll have to check).

----
send money to your kernel via the boot loader.. This and more wisdom available from Markov Hardburn.

  • Comment on Re: How to create/generate META.yml and SIGNATURE files for CPAN

Replies are listed 'Best First'.
Re^2: How to create/generate META.yml and SIGNATURE files for CPAN
by PodMaster (Abbot) on Jul 27, 2004 at 08:06 UTC
    Module::Signature includes a cpansign program which can be used to verify a signature prior to executing any code. I generally do (in CPANPLUS) a z Modulename before testing a module just so I can verify a signature if one exists.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

[reply]
Re^2: How to create/generate META.yml and SIGNATURE files for CPAN
by adrianh (Chancellor) on Jul 27, 2004 at 20:35 UTC
    It's really only useful for checking for accidental errors in the files

    It also acts as a sanity check for the developer doing a disttest - checking that you've generated an appropriate SIGNATURE.

[reply]

In Section Seekers of Perl Wisdom