kid51

• Website: thenceforward.net/perl
• About: kid51 is the IRC handle for James E Keenan, New York City-based Perl aficionado, CPAN contributor (id: JKEENAN), user group organizer and frequent conference speaker

Recent Actions

• Commented on Addressing CPAN vulnerabilities related to checksums
  CPAN.pm: preferably upgrade to version 2.29, or if configure your existing installation. Something seems to be missing between "if" and "configure" in that sentence....
• Commented on On the eve of CPAN Testers
  So where can I RTFM on how to set up a smoker? cpan Task::CPAN::Reporter...
• Commented on On the eve of CPAN Testers
  Aristotle wrote: "Has it prompted you? You asked what I am proposing to fix this. Well, do you come into the picture anywhere? Yes, it has. When I set up a new virtual machine (which I do via vagrant, I...
• Commented on On the eve of CPAN Testers
  Within just a few years, we are severely down on CPAN Testers resources. So, let's get concrete. What steps are you proposing or personally taking to improve the situation?...
• Posted Bye, bye search.cpan.org to James E Keenan

  For me, at least, a sad moment. But you can read the details at log.perl.org and make up your own mind.

• Commented on CFP still open - Second Round closing soon
  In case it's not apparent from the very terse wording of this post ... this refers to The Perl Conference (North America), to be held in Salt Lake City, Utah, with main conference days being June 18 - 20....
• Posted Configure at the 2017 Perl 5 Core Hackathon to James E Keenan

  Configure at the Perl 5 Core Hackathon

  One major focus of discussion at the Perl 5 Core Hackathon in Amsterdam last month was the status of the program Configure. In this post, we provide a brief introduction to Configure a…

• Posted 2017 Perl 5 Core Hackathon Held in Amsterdam October 12-15 to James E Keenan

  …

• Posted Barcelona Perl & Friends: Saturday 4 Nov 2017 to James E Keenan

  Barcelona Perl & Friends: Saturday 4 Nov 2017

  friends.barcelona.pm/2017

  A free one-day conference for Geeks and F…

• Commented on I can't install perl-5.26.0-RC1 in CentOS 5.11
  Would you be able to either (a) sign up for the Perl 5 Porters mailing list send email to: perl5-porters-subscribe@perl.org) or (b), using a newsreader, subscribe to the perl.perl5.porters group at nntp.perl.org? Members of the Perl 5 Porters are working...
• Commented on Trials and troubles with changing @INC
  Thanks for putting in the effort on this!...
• Commented on A happy mod_perl story
  Tell us more!...
• Commented on Are Restricted/Locked Hashes A Failed Experiment?
  Andreas, could you provide an example of that usage of lock_keys() with Getopt::Long? Since that's a library I've often used, I'd like to see how you use it and whether there are alternatives. Thank you very much....
• Commented on Paging TOBYINK
  The test failures in Type::Tiny are becoming more urgent as we get closer to the release of perl-5.26.0. There are over 600 CPAN distributions which have first-level dependencies on this module. They cannot be tested against blead until this one...
• Commented on Upping minimum version for Devel::Cover
  Ether wrote: I would humbly suggest that you *not* change the 'use' line in code to *force* that 5.8.1 be used -- surely, if someone else wants to install the code under 5.6, and especially if they are motivated...
• Commented on Is this thing on?
  Welcome, Joe!...

Comment Threads

• Aristotle commented on Addressing CPAN vulnerabilities related to checksums

  Yes – if authors signed their distributions themselves, this would verify the origin of the bits all the way to the source, rather than just up to PAUSE, which would be a worthwhile increase in trust. The only problem is the usual web of trust question: if the point is not to have to trust PAUSE then you can’t source authors’ keys from PAUSE, so where do you get them?

• Robert Rothenberg commented on Addressing CPAN vulnerabilities related to checksums

  PAUSE signatures means that you trust that this is what was uploaded to PAUSE. But it's possible that a malicious person stole an author's credentials to upload something.

  Author signatures means that you trust that the author has approved this code.

  There's always the possibility that a malicious person has stolen PAUSE credentials *and* an author's key-signing credentials. It's not foolproof.

  As an added safety, we could add a scheme for multiple signatures to be added. So another person can review code and submit their signature to PAUSE somehow.

• Neil Bowers commented on Addressing CPAN vulnerabilities related to checksums

  Thanks Jim - now fixed.

• Neil Bowers commented on Addressing CPAN vulnerabilities related to checksums

  If the mirror is trustworthy and so is the connection to it, does verification of the PAUSE-signed CHECKSUMS serve any remaining purpose?

  Marginal benefit, I'd say. It's an additional check that you're getting the expected file.

  I've heard anecdotally that the checksums once identified a case where an rsync had been interrupted and result in a truncated file.
  

• nhorne commented on Addressing CPAN vulnerabilities related to checksums

  I have a local mirror which downloads from https://cpan.org, so it's trusted. I then mount the mirror using NFS, so the entry in MyConfig.pm for urllist starts with "file://foo/bar". Even though I know it's trusted I still get:

  Warning: checksum file '/mnt/CPAN/authors/id/G/GB/GBARR/CHECKSUMS' not conforming.
  
  The cksum does not contain the key 'cpan_path' for 'CPAN-DistnameInfo-0.12.tar.gz'.
  Proceed nonetheless? [no]

  How can I handle this scenario?