Hi Daniel, gregor herrmann wrote: > > Tomorrow we'll have our annual BoF at DebConf: > > https://summit.debconf.org/debconf15/2015-08-20/ > > starting at 15:00 local time (CEST; = 13:00 UTC) in room "Amsterdam". > > The meeting happened as planned, and was again both nice and > constructive. There were 10 people present physically and 3 remotely. > > Thanks to all participants and especially to Harlan for taking > perfect minutes on the fly which are pasted below. [...] > The CPAN signature verification was discussed. XTaran volunteered to > discuss the ability to match signatures with dkg. > > RESOLVED: XTaran will discuss signature verification with dkg. So let's do that. Since intri seems interested, too, I decided to Cc all debian-perl@l.d.o as I'd anyways have to write something about that to the team. There exists the Module::Signature (packaged as libmodule-signature-perl) which… | adds cryptographic authentications to CPAN distributions, via the | special SIGNATURE file. (Citation from https://metacpan.org/pod/Module::Signature#DESCRIPTION) More from that page which explains a little bit how the workflow is being expected: | If you are a module user, all you have to do is to remember to run | cpansign -v (or just cpansign) before issuing perl Makefile.PL or | perl Build.PL; that will ensure the distribution has not been | tampered with. | | Module authors can easily add the SIGNATURE file to the distribution | tarball; […] | | If you really want to sign a distribution manually, simply add | SIGNATURE to MANIFEST, then type cpansign -s immediately before make | dist. Be sure to delete the SIGNATURE file afterwards. I would be cool if uscan could also check this kind of signatures as they seem to be PGP-based, too. I wonder how difficult it will be to add support for this to uscan. And I wonder what would be a sane watch file syntax extension to cover these kind of signatures. Or should it be just done automatically? If so, based on what? Daniel: Have you by chance looked into this already? If not, any expectations how easy or difficult it could be to add such support to uscan based on your pgpsigurlmangle work on uscan? There's btw. also https://metacpan.org/pod/Test::Signature but that seems to be targetted towards CPAN distribution authors so that an according check is made inside the CPAN distribution's test suite. But IMHO this is far too late for our purpose. Regards, Axel -- ,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Attachment:
signature.asc
Description: Digital signature