Timothy Legge

• About: FOSS developer who has been scratching various itches for many years.

Recent Actions

• Commented on Signing CPAN Releases with SigStore
  At present PAUSE has no way to validate that I am the timlegge@....com that uploaded those files. PAUSE does have my "private email" which happens to be the one that I used so it could verify that the signature is...
• Commented on Signing CPAN Releases with SigStore
  Grinnz in addition, all cosign signatures are added to the append-only transparency log: I grabbed the SHA256 from the CHECKSUMS file on cpan and queried: https://search.sigstore.dev/?hash=9b8582e5ad8b56093bc1d6f59888333af3c3615f9dde989e5b56f6a1ad3b2627 It shows the entry for the release version 0.04 that I released earlier today....
• Commented on Signing CPAN Releases with SigStore
  Exactly brian d foy, using a standard solution across ecosystems is key. We can leverage the things built for everyone and it will help the distros have consistency for validating upstream sources....
• Commented on Signing CPAN Releases with SigStore
  The current version uses the defaults for OIDC identity provider that cosign uses. I have not looked any closer at the moment....
• Posted Signing CPAN Releases with SigStore to Timothy Legge

  Signing CPAN Releases with SigStore

  At the most recent Perl Tool Chain Summit (PTS) in Vienna we decided to deprecate Module::Signature. Module::Signature has been around for a long time but it has become increasingly clear that it does not provide the security…

• Posted Perl Toolchain Summit 2026 - Vienna to Timothy Legge

  This year, I was once again honored to be invited to the Perl Toolchain Summit (PTS), held in Vienna. Following productive years in Lisbon and Leipzig, the CPAN Security Group (CPANSec) spent time discussing how to improve the security of the Perl and CPAN ecosystem.

  As always, the magic o…

• Posted Vulnerable Perl Spreadsheet Parsing modules to Timothy Legge

  Between Dec 2023 and Jan 2024, vulnerabilities in …

Comment Threads

• Grinnz commented on Signing CPAN Releases with SigStore

  If PAUSE could provide (pardon the pun) an identity provider service that this could utilize, that seems like it would make a nice closed loop of trust. PAUSE mostly only gets significant overhauls at a PTS though :)

• Ranguard commented on Signing CPAN Releases with SigStore

  Nice!

• Dean commented on Signing CPAN Releases with SigStore

  This discussion seems healthy and there appears to be alot of alignment already.