Indeed, the keyserver has a very important role here (at least while
OpenPGP is the chosen approach). I actually believe this part is all
right as long as Internet access is avaiable.
But my point is that security is not enforced in any way. Seems
almost like it's an afterthought.
And actually, I think there might be some workarounds (some with
OpenPGP, some with other approaches):
-
With OpenPGP approach, maybe some keys from known developers
could be shipped together with perl (or maybe in separate
packages depending on the operating system). These keys take some
time to expire, and could be used to check for new other keys, in
a Web of Trust;
-
Outside of OpenPGP approach, however, there are options too. For
instance, I like OpenBSD's approach, with signify
. Every OpenBSD release contains the key necessary to verify
the next release, so indirectly every new key is signed by its
predecessor.
Maybe this could be applied to every Perl distribution, in
the sense that every distribution comes with the necessary key for
the next version. That way, at least every update will be safe.
It's worth noting these keys are relatively small (thanks to
ED25519 algorithm), so shipping them is cheap.
That way, only the first install would be unsafe, and a
compromised key could be easily detected during updates.
I know crypto solutions are not trivial, but I believe there are
options. I completely agree with the idea of giving choice to the
users, but I think security should be opt-out, not opt-in.
return on_success() or die;
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|