(What would be marginally worth it is having PAUSE sign distros. At least we can assure that the CPAN mirror didn't tamper with the files, which I think is the most likely "attack" on CPAN.)
Frankly, that's the best idea I've heard yet.
It would at least be "trivial" to implement compared to the current situation, and would allow us to provide some manner of security against bad mirrors.
The only downside though might be problems if we have custom mirrors that have third-party module built into them.
But in general I find the idea less insane that what we do now. Adam K
