Moin,
On Thursday 06 July 2006 03:22, Jonathan Rockway wrote:
> > It adds a dependency on a binary application (gpg) that users have to
> > install by hand, doesn't check for the presence of it properly, and
> > if you don't have it, installs an enormous chain of dependencies,
> > with said deps h
> On Fri, 7 Jul 2006 03:52:52 +0200, "A. Pagaltzis" <[EMAIL PROTECTED]>
> said:
> * Adam Kennedy <[EMAIL PROTECTED]> [2006-07-07 03:25]:
>> Andreas J. Koenig wrote:
>> >>On Fri, 07 Jul 2006 10:02:00 +1000, Adam Kennedy <[EMAIL PROTECTED]>
>> >>said:
>> > >> (What would be m
> On Fri, 07 Jul 2006 11:22:16 +1000, Adam Kennedy <[EMAIL PROTECTED]> said:
> Andreas J. Koenig wrote:
>>> On Fri, 07 Jul 2006 10:02:00 +1000, Adam Kennedy <[EMAIL PROTECTED]>
>>> said:
>> >> (What would be marginally worth it is having PAUSE sign distros.
>> At
>> >> least we
* Adam Kennedy <[EMAIL PROTECTED]> [2006-07-07 03:25]:
> Andreas J. Koenig wrote:
> >>On Fri, 07 Jul 2006 10:02:00 +1000, Adam Kennedy <[EMAIL PROTECTED]>
> >>said:
> > >> (What would be marginally worth it is having PAUSE sign
> > >> distros. At least we can assure that the CPAN mirror
>
> On Fri, 07 Jul 2006 10:02:00 +1000, Adam Kennedy <[EMAIL PROTECTED]> said:
>> (What would be marginally worth it is having PAUSE sign distros. At
>> least we can assure that the CPAN mirror didn't tamper with the
>> files, which I think is the most likely "attack" on CPAN.)
> Frankly,
Andreas J. Koenig wrote:
On Fri, 07 Jul 2006 10:02:00 +1000, Adam Kennedy <[EMAIL PROTECTED]> said:
>> (What would be marginally worth it is having PAUSE sign distros. At
>> least we can assure that the CPAN mirror didn't tamper with the
>> files, which I think is the most likely "attack"
(What would be marginally worth it is having PAUSE sign distros. At
least we can assure that the CPAN mirror didn't tamper with the files,
which I think is the most likely "attack" on CPAN.)
Frankly, that's the best idea I've heard yet.
It would at least be "trivial" to implement compared to
Sorry, meant to send this to the list. :)
What’s the point?
Good question. Crypt::OpenPGP doesn't maintain a web-of-trust either.
People that have webs of trust have GPG, otherwise, what are they using?
If all that’s verified is that the distribution was signed with
the key uploaded to
* Jonathan Rockway <[EMAIL PROTECTED]> [2006-07-06 03:25]:
> I think the solution (to dependency hell) is to dictate that
> CPAN modules be signed with a standard algorithm. OpenPGP
> allows too many different algorithms, hence the 22 modules
> Crypt::OpenPGP is dependent on. The only strong reaso
