Skip Menu |

This queue is for tickets about the Module-Signature CPAN distribution.

Report information
The Basics
Id: 14287
Status: rejected
Priority: 0/
Queue: Module-Signature
People
Owner: Nobody in particular
Requestors: rrwo [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Tue Aug 23 18:29:10 2005 Guest - Ticket created
Subject: Verify that key which signed file belongs to the author
There is no verification that the key used to sign modules does in fact belong to the author. So any mal-intentioned person could modify a module, sign it with a key that has been uploaded to CPAN (perhaps even one which has the author's E-mail address), and post the module on a web site, etc. There needs to be a way for CPAN authors to register or post their keys (this requires a change to PAUSE/CPAN infrastructure) so that Module::Signature can obtain their key and use that for verifying the signature. (Whether anyone associated with CPAN etc. signs keys or builds a web of trust is another issue.)
  Sat May 08 18:33:57 2010 rafl [...] debian.org - Correspondence added
While you are absolutely correct about the possible issues, solving them is currently outside the scope of Module::Signature. Once the appropriate infrastructure for authors to register their keys, and for others to retrieve them securely exists this ticket should be reopened.
  Sat May 08 18:33:57 2010 The RT System itself - Status changed from 'new' to 'open'
  Sat May 08 18:33:58 2010 rafl [...] debian.org - Status changed from 'open' to 'rejected'