Skip Menu |

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 39243
Status: open
Priority: 0/
Queue: CPAN
People
Owner: Nobody in particular
Requestors: mschwern [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 1.9205
Fixed in: (no value)

History Show all quoted text
  Sat Sep 13 05:18:32 2008 mschwern [...] cpan.org - Ticket created
Subject: Remove signature test?
I went to go install a new version of CPAN on a fresh 5.8.8. When I ran the tests I got... t/00signature.......1/1 Unknown cipher: SHA1, please install Digest::SHA, Digest::SHA1, or Digest::SHA::PurePerl ==> UNKNOWN Cipher format! <== It's annoying that I have to install a module to upgrade the module installer. Could that signature test be removed? It doesn't serve any purpose as the SIGNATURE file could have just as easily been replaced by a man-in-the-middle. That or put in an exception for CIPHER_UNKNOWN and CANNOT_VERIFY. Thanks.
  Sun Sep 14 04:15:03 2008 andreas.koenig.7os6VVqR [...] franz.ak.mind.de - Correspondence added
Subject: Re: [rt.cpan.org #39243] Remove signature test?
Date: Sun, 14 Sep 2008 10:14:47 +0200
To: bug-CPAN [...] rt.cpan.org
From: andreas.koenig.7os6VVqR [...] franz.ak.mind.de (Andreas J. Koenig)
Show quoted text
>>>>> On Sat, 13 Sep 2008 05:18:44 -0400, "Michael G Schwern via RT" <bug-CPAN@rt.cpan.org> said:
Show quoted text
> I went to go install a new version of CPAN on a fresh 5.8.8. When I ran > the tests I got...
Show quoted text
> t/00signature.......1/1 Unknown cipher: SHA1, please install > Digest::SHA, Digest::SHA1, or Digest::SHA::PurePerl > ==> UNKNOWN Cipher format! <==
Oops, I never saw this one before. Show quoted text
> It's annoying that I have to install a module to upgrade the module > installer.
Agree. Show quoted text
> Could that signature test be removed? It doesn't serve any purpose as > the SIGNATURE file could have just as easily been replaced by a > man-in-the-middle.
If you want to argue about security, please make it a separate ticket. Show quoted text
> That or put in an exception for CIPHER_UNKNOWN and > CANNOT_VERIFY.
I think I do a skip if one of the three mentioned modules isn't installed. [time passes] DONE. Will be in 1.92_65 -- andreas
  Sun Sep 14 04:15:05 2008 The RT System itself - Status changed from 'new' to 'open'
  Sun Sep 14 18:07:38 2008 schwern [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #39243] Remove signature test?
Date: Sun, 14 Sep 2008 15:07:00 -0700
To: bug-CPAN [...] rt.cpan.org
From: Michael G Schwern <schwern [...] pobox.com>
(Andreas J. Koenig) via RT wrote: Show quoted text
> > Could that signature test be removed? It doesn't serve any purpose as > > the SIGNATURE file could have just as easily been replaced by a > > man-in-the-middle.
> > If you want to argue about security, please make it a separate ticket.
I reference this discussion... http://www.nntp.perl.org/group/perl.qa/2007/12/msg9902.html ...but I see we already went through this before. Ok. Show quoted text
> > That or put in an exception for CIPHER_UNKNOWN and > > CANNOT_VERIFY.
> > I think I do a skip if one of the three mentioned modules isn't > installed. [time passes] DONE. Will be in 1.92_65
Thanks. I recommend using the constants instead to protect against future changes to the guts of Module::Signature or future ciphers. PS I think the above happened because I had a 64 bit perl install looking at a 32 bit site-perl. So it thought it had modules installed but they wouldn't actually load. -- Life is like a sewer - what you get out of it depends on what you put into it. - Tom Lehrer