On 2019-10-23 22:20:04 +0300, Niko Tyni wrote: > So as I understand this, verifying CHECKSUMS would be the thing to do, > and setting 'check_sigs' wouldn't really help (only deployed partially > and no web of trust to the module authors).
Indeed, and even if check_sigs is set, it is ignored if the module is not signed (instead of getting a failure). But CHECKSUMS needs to be downloaded from a reliable website (I assume that www.cpan.org is) and in a secure way (https, not http). > From a cursory look it looks to me like cpanm from src:cpanminus verifies > CHECKSUMS if Module::Signature (src:libmodule-signature-perl, bundles a > recent PAUSE public key) is installed, but CPAN.pm doesn't. But I might > be wrong. I can see that, by default, CHECKSUMS is verified, if I understand correctly: [...] Running install for module 'XML::TreePP' Fetching with LWP: http://www.cpan.org/authors/id/K/KA/KAWASAKI/XML-TreePP-0.43.tar.gz Fetching with LWP: http://www.cpan.org/authors/id/K/KA/KAWASAKI/CHECKSUMS Checksum for /home/vlefevre/.cpan/sources/authors/id/K/KA/KAWASAKI/XML-TreePP-0.43.tar.gz ok [...] However, with the default urllist value, it is downloaded using http (not https). One needs to set urllist to [q[https://www.cpan.org/]] -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
