On 2019-10-26 15:45:28 +0300, Niko Tyni wrote: > I understand the CHECKSUMS files are PGP signed by the CPAN archive. > I was referring to verifying these signatures. Whether the download > is https or not is not relevant in for that verification.
This is not documented and the signature does not appear to be checked. Or do you have some proof? Given that, https at least allows one to avoid MITM attacks. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
