| Subject: | CR signature breakage in DT::Locale |
| Date: | Fri, 28 Aug 2009 12:38:16 +0100 |
| To: | bug-DateTime-Locale [...] rt.cpan.org |
| From: | Zefram <zefram [...] fysh.org> |
There is a bug in Module::Signature which is causing false signature
verification failures for DateTime::Locale. The bug is that it attempts
to canonicalise line endings of text files for checksumming, but it does
so in a way that doesn't work on perl 5.6. The practical upshot is that
if you have \r\n line endings then a signature generated with perl 5.8+
will fail to verify on perl 5.6. All the XML files in tools/t/test-data
have \r\n line endings, and so suffer this problem.
There's an easy workaround: don't use \r\n. If all the files are changed
to use \n, like the rest of the distribution, then checksums will be
computed consistently.
Of course, the principle of signing something other than what's
actually distributed is a stupid idea that opens up security
holes. I have mentioned this to the M::S author, along with the
inconsistent-canonicalisation bug.
-zefram