Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

(Signing modules) Re: Paranoia, NIH, and Beyond

by Corion (Patriarch)
on Jan 10, 2001 at 15:11 UTC ( [id://50905]=note: print w/replies, xml ) Need Help??


in reply to Paranoia, NIH, and Beyond
in thread A Fit on NIH

I really like the idea of having a built-in method of verifying the integrity of a module. This could "easily" be done by using a PGP/GPG-style mechanism or simply a built-in method of checking an appended IDEA (crypto-)hash of the source code and/or any XS used by the module.

A really simple way would be to extend the __DATA__ mechanism to also include a __SIGNATURE__ section, which contains an (IDEA)(crypto-)hash of the source code, which can then be checked optionally by Perl against the code and (if available) against a local list of "trusted" keys. Of course, if that list of trusted keys is compromised, all security is down, but if that list can be compromised, bets are that everything else already has been as well.

So, as I see it, a two-fold protection mechanism would need to be in place. One, a public/private key system with CPAN as a central repository for the public keys, so that everybody can check the authenticity of their modules, and a second, global public/private key, owned by CPAN, to check the integrity of every module locally at any time.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://50905]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others lurking in the Monastery: (5)
As of 2024-03-28 17:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found