Re: uscan vs CPAN signatures inside tar ball (was: Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC [origin: gregoa@debian.org])

To: Daniel Kahn Gillmor <dkg@debian.org>, debian-perl@lists.debian.org
Subject: Re: uscan vs CPAN signatures inside tar ball (was: Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC [origin: gregoa@debian.org])
From: Csillag Tamas <cstamas@digitus.itk.ppke.hu>
Date: Wed, 26 Aug 2015 09:24:47 +0200
Message-id: <[🔎] 20150826072447.GH12861@rivendell>
Reply-to: Csillag Tamas <cstamas@digitus.itk.ppke.hu>
In-reply-to: <[🔎] 20150825174854.GL9970@sym.noone.org>
References: <[🔎] 20150820103208.GH6929@jadzia.comodo.priv.at> <[🔎] 20150822113038.GF5589@jadzia.comodo.priv.at> <[🔎] 20150825174854.GL9970@sym.noone.org>

Hi,

On Tue, Aug 25, 2015 at 07:48:54PM +0200, Axel Beckert wrote:
[...]
> > RESOLVED:  XTaran will discuss signature verification with dkg.
> 
> So let's do that. Since intri seems interested, too, I decided to Cc
> all debian-perl@l.d.o as I'd anyways have to write something about
> that to the team.
> 
> There exists the Module::Signature (packaged as
> libmodule-signature-perl) which…
> 
> | adds cryptographic authentications to CPAN distributions, via the
> | special SIGNATURE file.
> 
> (Citation from https://metacpan.org/pod/Module::Signature#DESCRIPTION)
> 
> More from that page which explains a little bit how the workflow is
> being expected:
> 
> | If you are a module user, all you have to do is to remember to run
> | cpansign -v (or just cpansign) before issuing perl Makefile.PL or
> | perl Build.PL; that will ensure the distribution has not been
> | tampered with.
> |
> | Module authors can easily add the SIGNATURE file to the distribution
> | tarball; […]
> |
> | If you really want to sign a distribution manually, simply add
> | SIGNATURE to MANIFEST, then type cpansign -s immediately before make
> | dist. Be sure to delete the SIGNATURE file afterwards.
> 
> I would be cool if uscan could also check this kind of signatures as
> they seem to be PGP-based, too.
> 
> I wonder how difficult it will be to add support for this to uscan.
> And I wonder what would be a sane watch file syntax extension to cover
> these kind of signatures. Or should it be just done automatically? If
> so, based on what?
> 
> Daniel: Have you by chance looked into this already? If not, any
> expectations how easy or difficult it could be to add such support to
> uscan based on your pgpsigurlmangle work on uscan?

For me pgpsigurlmangle is a new thing if that is the case for anyone else dkg
talks about it here:
http://saimei.acc.umu.se/pub/debian-meetings/2015/debconf15/Lightning_talks_2.webm
starts at 24:00

Regards,
 Tamas
-- 
CSILLAG Tamas (cstamas) - http://cstamas.hu/

"Twenty years from now you will be more disappointed by the things you didn’t
do than by the ones you did do. So throw off the bowlines, sail away from the
safe harbor. Catch the trade winds in your sails. Explore. Dream. Discover."
               -- Mark Twain

Reply to:

References:
- Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC
  - From: gregor herrmann <gregoa@debian.org>
- Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC
  - From: gregor herrmann <gregoa@debian.org>
- uscan vs CPAN signatures inside tar ball (was: Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC [origin: gregoa@debian.org])
  - From: Axel Beckert <abe@debian.org>

Prev by Date: uscan vs CPAN signatures inside tar ball (was: Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC [origin: gregoa@debian.org])
Next by Date: Re: Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC
Previous by thread: uscan vs CPAN signatures inside tar ball (was: Minutes of the Debian Perl Team BoF at DebConf: Friday, 2015-08-21, 13 UTC [origin: gregoa@debian.org])
Next by thread: Issues which will block the perl 5.22 transition
Index(es):
- Date
- Thread