Indeed, the keyserver has a very important role here (at least while
OpenPGP is the chosen approach). I actually believe this part is all
right as long as Internet access is avaiable.
But my point is that security is not enforced in any way. Seems
almost like it's an afterthought.
And actually, I think there might be some workarounds (some with
OpenPGP, some with other approaches):
With OpenPGP approach, maybe some keys from known developers
could be shipped together with perl (or maybe in separate
packages depending on the operating system). These keys take some
time to expire, and could be used to check for new other keys, in
a Web of Trust;
Outside of OpenPGP approach, however, there are options too. For
instance, I like OpenBSD's approach, with signify
. Every OpenBSD release contains the key necessary to verify
the next release, so indirectly every new key is signed by its
Maybe this could be applied to every Perl distribution, in
the sense that every distribution comes with the necessary key for
the next version. That way, at least every update will be safe.
It's worth noting these keys are relatively small (thanks to
ED25519 algorithm), so shipping them is cheap.
That way, only the first install would be unsafe, and a
compromised key could be easily detected during updates.
I know crypto solutions are not trivial, but I believe there are
options. I completely agree with the idea of giving choice to the
users, but I think security should be opt-out, not opt-in.
return on_success() or die;