Sorry, meant to send this to the list. :)
What’s the point?
Good question. Crypt::OpenPGP doesn't maintain a web-of-trust either.
People that have webs of trust have GPG, otherwise, what are they using?
If all that’s verified is that the distribution was signed with
the key uploaded to the same directory, then all you can have
confidence in is that distribution was uploaded by someone who
has permission to upload a key. That might be the author, or it
might be an impostor who got ahold of the author’s account
details and uploaded his own key.
This protects end-users against a malicious CPAN mirror, though. If
PAUSE is compromised, that's a whole other set of problems. (Yes, WoT
would protect you from PAUSE being compromised. Only if your network is
extensive enough to cover every person who has ever uploaded anything to
CPAN. I use PGP extensively, but have never actually verified any CPAN
authors' keys in person. I tried at YAPC but I never managed to
actually find anyone that was intersted in exchanging keys :) I doubt
the average JAPH is going to go to that much effort just to be sure that
nobody's secretly compromised the PAUSE or their friendly local CPAN
mirror.
I don’t think running a cert auth is feasible for CPAN. So the
only worthwhile option is to participate in the PGP web of trust.
If you do away with that, you can just as well do away with
cryptosigs alltogether.
True. Right now they're pretty useless. I have downloaded some modules
that didn't verify and installed them anyway. Jifty, for example,
contains a bunch of ._foo and ._bar files that aren't in the MANIFEST,
and therefore CPANPLUS chokes when you try to install it.
On a more positive note, we can eliminate a lot of Crypt::OpenPGP's
dependencies by stripping out keygen (Crypt::Random -> Math::Pari, which
is a nightmare to isntall on some systems). If everyone somehow gets a
web-of-trust, then modifying Crypt::OpenPGP to require a certain level
of trust would be simple. Right now, though, it's just not worth it IMHO.
(What would be marginally worth it is having PAUSE sign distros. At
least we can assure that the CPAN mirror didn't tamper with the files,
which I think is the most likely "attack" on CPAN.)
Regards,
Jonathan Rockway
