Hi, On 2022-10-22 14:31:24 +0200, Clément Hermann wrote: > I could reproduce your issue if I enable check_sigs option in CPAN > (which is _not_ the default).
OK, I forgot about that (though I think that it should be the default for security reasons, and IIRC, this was recommended for this reason in some other thread). > Thing is, it's not a bug, really. Or not quite. It's a result of the > correction of a bug in CPAN < 2.29 who would succeed silently if there is no > signature/no way to check the key. > > You can find some context in > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1015985 and > http://blogs.perl.org/users/neilb/2021/11/addressing-cpan-vulnerabilities-related-to-checksums.html I didn't know that. In particular, I had not got any announce, probably because it is still not fixed in Debian/stable. And AFAIK, http is also still used by default in Debian/stable, so that this makes the security even worse. > I do agree that it's bad UX that CPAN isn't more helpful when the key isn't > available, e.g. asking for it or suggesting a way to get it, but the fact > that it fails if the key isn't available while the Checksums are signed is > the right behavior, and your workaround (getting the key) is the right > solution. > > CPAN doesn't have a way to centralize key themself, and probably shouldn't, > either. Not sure how such error can be avoided completely (the Debian method > of having a preconfigured keyring won't do for CPAN IMO), but it should at > least suggest a solution. I agree. There should be at least sufficient documentation when the error occurs. If Debian could automatically provide the key and use it, this would be better, IMHO: less work for the user, and this would ensure (if correctly done) that the key is correct and still valid. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
