* Jonathan Rockway <[EMAIL PROTECTED]> [2006-07-06 03:25]:
> I think the solution (to dependency hell) is to dictate that
> CPAN modules be signed with a standard algorithm. OpenPGP
> allows too many different algorithms, hence the 22 modules
> Crypt::OpenPGP is dependent on. The only strong reason to
> stick with OpenPGP is that it has the whole web-of-trust and
> keyserver infrastructure.
>
> If we can live without that,
What’s the point?
If all that’s verified is that the distribution was signed with
the key uploaded to the same directory, then all you can have
confidence in is that distribution was uploaded by someone who
has permission to upload a key. That might be the author, or it
might be an impostor who got ahold of the author’s account
details and uploaded his own key.
But to upload a distribution you need the author’s account
details anyway! So the cryptosig doesn’t give you confidence in
any facts that you didn’t already have confidence in. In other
words, for the signatures to improve confidence, they have to
be generated from keys that either form of a web of trust in
which the downloader participates, or they have to be issued by a
certification authority that imposes additional background
verification before it will issue a key.
I don’t think running a cert auth is feasible for CPAN. So the
only worthwhile option is to participate in the PGP web of trust.
If you do away with that, you can just as well do away with
cryptosigs alltogether.
NB.: of course, Mod::Sig currently doesn’t check the
trustworthiness of a key, only whether a distribution is
signed with the uploaded key, so it’s pointless in precisely
the way outlined above. Until such time as trust checks are
implemented, there is no point to signing CPAN distros.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
