Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

use Perl Log In

Log In

[ Create a new account ]

acme (189)

acme
  (email not shown publicly)
http://www.astray.com/

Leon Brocard (aka acme) is an orange-loving Perl eurohacker with many varied contributions to the Perl community, including the GraphViz module on the CPAN. YAPC::Europe was all his fault. He is still looking for a Perl Monger group he can start which begins with the letter 'D'.

Journal of acme (189)

Sunday August 04, 2002
12:39 PM

Secure CPAN

[ #6887 ]
Occasionally I make noises about the fact that CPAN is so insecure and that maybe we should throw digital signatures at it. Well, crypto is tricky, but I came across the Strong Distribution HOWTO which explains what is needed. Infrastructure. A pure-perl openpgp implementation (luckily we have Crypt::OpenPGP, which looks good). Lots of keys and keysigning (there are a lot of CPAN authors and we'd have to convince each of them to use crypto and sign their distributions, arrrggh). Basically a lot of work for a system where people still do "perl Makefile.PL", "make" and "make test" as root. Interesting though...
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • somewhere where this is actually being used and being used successfully currently?

    • Does it matter much? It shouldn't take much more infrastructure to support storing PGP signatures of each upload - should "just work". And then it just requires a modification to CPANPLUS - Jos said that wouldn't be much work.

      Of course there's probably lots I'm not thinking of.
      • Not much of a change indeed, except that for better spreadability still a change to MakeMaker might help (in case people aren't using CPANPLUS). I'm not a security freak, but I've always been amazed that no exploit (that I know of) has managed to make its way through CPAN, and I'm totally in favour of requiring all CPAN authors to provide public keys. After that making "make dist" auto-require a signature wouldn't be too hard.

        The additional bonuses appear in the fact that modules could be recommended

        --

        -- Robin Berjon [berjon.com]

        • But having signed distros isn't enough. Why would I trust Foo's signature? PGP is cool but it requires establishing a web of trust. Here and there people seem to understand that, but actually getting them to exchange key signatures is another story--while at OSCON I could get only one guy to sign my key. Until we actively sign each other's keys when we physically meet, this will remain a pipe dream.
      • Well, I'd be interested to see if other archives like CTAN, etc. have ever attempted it or are actually doing this. Sun has the solaris fingerprint database [sun.com] which was started, as I recall, by Casper Dik. PKI is inherently flawed and the 'web of trust' is only as trustworthy as the weakest link and, with over 1600 authors, there exists a great potential for poor key management and system administration. I just don't see how this method would greatly improve upon the current method.

    • I think Debian have it. All Debian packages are signed using packager's GPG key and all GPG keys are in the web of trust. There are quite strict procedure you need to pass to become packager and have your key signed by another packager. It is described in this document [debian.org]. This is to ensure that your key does represent you.

      Not sure that CPAN needs to follow simular procedure of new CPAN authors registration but since you have asked...

      --

      Ilya Martynov (http://martynov.org/ [martynov.org])