Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

comment on

( [id://3333]=superdoc: print w/replies, xml ) Need Help??

Indeed, the keyserver has a very important role here (at least while OpenPGP is the chosen approach). I actually believe this part is all right as long as Internet access is avaiable.

But my point is that security is not enforced in any way. Seems almost like it's an afterthought.

And actually, I think there might be some workarounds (some with OpenPGP, some with other approaches):

  • With OpenPGP approach, maybe some keys from known developers could be shipped together with perl (or maybe in separate packages depending on the operating system). These keys take some time to expire, and could be used to check for new other keys, in a Web of Trust;
  • Outside of OpenPGP approach, however, there are options too. For instance, I like OpenBSD's approach, with signify . Every OpenBSD release contains the key necessary to verify the next release, so indirectly every new key is signed by its predecessor.

    Maybe this could be applied to every Perl distribution, in the sense that every distribution comes with the necessary key for the next version. That way, at least every update will be safe. It's worth noting these keys are relatively small (thanks to ED25519 algorithm), so shipping them is cheap.

    That way, only the first install would be unsafe, and a compromised key could be easily detected during updates.

I know crypto solutions are not trivial, but I believe there are options. I completely agree with the idea of giving choice to the users, but I think security should be opt-out, not opt-in.

return on_success() or die;


In reply to Re^2: cpan/cpanm integrity and authenticy checks concerns by hrcerq
in thread cpan/cpanm integrity and authenticy checks concerns by hrcerq

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2024-03-28 13:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found