user-pic

kid51

  • Website: thenceforward.net/perl
  • About: kid51 is the IRC handle for James E Keenan, New York City-based Perl aficionado, CPAN contributor (id: JKEENAN), user group organizer and frequent conference speaker
Subscribe to feed Recent Actions from kid51

  • Aristotle commented on Addressing CPAN vulnerabilities related to checksums

    Yes – if authors signed their distributions themselves, this would verify the origin of the bits all the way to the source, rather than just up to PAUSE, which would be a worthwhile increase in trust. The only problem is the usual web of trust question: if the point is not to have to trust PAUSE then you can’t source authors’ keys from PAUSE, so where do you get them?

  • Robert Rothenberg commented on Addressing CPAN vulnerabilities related to checksums

    PAUSE signatures means that you trust that this is what was uploaded to PAUSE. But it's possible that a malicious person stole an author's credentials to upload something.

    Author signatures means that you trust that the author has approved this code.

    There's always the possibility that a malicious person has stolen PAUSE credentials *and* an author's key-signing credentials. It's not foolproof.

    As an added safety, we could add a scheme for multiple signatures to be added. So another person can review code and submit their signature to PAUSE somehow.

  • Neil Bowers commented on Addressing CPAN vulnerabilities related to checksums

    Thanks Jim - now fixed.

  • Neil Bowers commented on Addressing CPAN vulnerabilities related to checksums
    If the mirror is trustworthy and so is the connection to it, does verification of the PAUSE-signed CHECKSUMS serve any remaining purpose?

    Marginal benefit, I'd say. It's an additional check that you're getting the expected file.

    I've heard anecdotally that the checksums once identified a case where an rsync had been interrupted and result in a truncated file.

  • nhorne commented on Addressing CPAN vulnerabilities related to checksums

    I have a local mirror which downloads from https://cpan.org, so it's trusted. I then mount the mirror using NFS, so the entry in MyConfig.pm for urllist starts with "file://foo/bar". Even though I know it's trusted I still get:

    Warning: checksum file '/mnt/CPAN/authors/id/G/GB/GBARR/CHECKSUMS' not conforming.

    The cksum does not contain the key 'cpan_path' for 'CPAN-DistnameInfo-0.12.tar.gz'.
    Proceed nonetheless? [no]

    How can I handle this scenario?

Subscribe to feed Responses to Comments from kid51

About blogs.perl.org

blogs.perl.org is a common blogging platform for the Perl community. Written in Perl with a graphic design donated by Six Apart, Ltd.