First of all, there's no point for Perl to always check the signature of a module when loading the module. If you are unwilling to trust what is on your local disk, you should not trust perl itself either. And if you cannot trust perl, why trust whatever it checks?

However, suppose you have massaged Perl such that it will fetch module from the internet and load them for you. (You can do that to some extend with my CPAN module The::Net). Not just source modules, but compiled modules as well. Then just signing is not enough. You signing the module doesn't give me any garantees. I might not know you, hence the signature doesn't tell me anything, or, if I know you and have your PGP public key, I still might not trust you.

You'd need to set up a trust system. Perhaps I don't trust you, but I do trust Mr. Feeble, and Mr. Feeble has vouched you. Then I might be willing to run your code.

Luckely, someone has already thought about this. Brian Ingerson, from Inline::C fame. Last YAPC::NA, there was a meeting on the following Saturday about peer to peer exchange of (compiled) modules. I missed it, but Brian will be at TPC and YAPC::Europe, and has promised he will have the idea more worked out by then.

-- Abigail