Some time after Audrey got Module::Signature usable, mysterious 00-signature.t test scripts started appearing in distributions.
I noticed mostly because they were a major source of testing failures on Win32, because it generally doesn't have gpg support, and goes on to install a hideous dependency chain of the disgusting swamp of Perl's crypto modules, which almost inevitably fails to install.
It didn't occur to me until later that 00-signature.t isn't actually useful.
While CPAN's normal checksum mechanism protects against accidental file corruption, the purpose of Module::Signature is to cryptographically verify that a module was released by a specific author.
There's clearly some major problems this approach.
1) Trivially exploitable
Most glaringly, if a hostile entity does attempt to modify a distribution, the very first thing they will do is to delete the 00-signature.t file, or modify it to make it return success.
The very concept of using potentially exploited code to test whether that code has been exploited is utterly irrational.
2) Duplicated Functionality
The CORRECT place for verification testing is in the CPAN client, and indeed CPAN.pm (and I assume CPANPLUS as well) has Module::Signature support (although it doesn't install it by default any more due to the aforementioned buggyness).
So even if signature testing IS possible on that host, the use of 00-signature.t becomes superfluous.
3) Source of Waste
If 00-signature.t was only duplicating, but had perfect installability and was entirely bug free, it would merely be a design flaw with no major impact.
Unfortunately, signature testing is also a support of bugs and test fails in various places, generates spurious FAIL reports for modules, and is basically just a source of make-work.
4) False Sense of Security
Worse still, the existance of 00-signature.t files may lead users to believe they are being protected, when this is not the case.
It also lets authors tick off a box and move on incorrectly, when the REAL focus for improving security should be in the hideous dependency chain for Module::Signature.
To summarize, I think this practice is one we need to stamp out.
I'd like to see a kwalitee point docked if a signature test exists in a distribution, and some education work done to help educate authors about this misfeature.
Re:makes sense to me.
markjugg on 2007-12-12T03:05:57
Oops. It's just only too bad I didn't notice I spelled my own name wrong before I hit Submit...
Of course the real mechanism to verify signatures is out of band. The command that does it is cpansign -v
. The 00-signature.t
file simply does the equivalent of cpansign -v
to verify that it actually works.
Just like tests generally just verify that something does what it intends to do.
Imagine that an author signs his work wrongly. During make disttest
he will notice the bug and has a chance to fix the thing before releasing. Just like with any other test.
Re:You miss the point
Alias on 2007-12-12T05:40:31
In which case never, under any circumstances, should this test EVER run during installation.
It should be a compulsory skip, unless something like AUTOMATED_TESTING of AUTHOR_TESTING is enabled.
Re:You miss the point
audreyt on 2007-12-12T07:28:14
Correct. It was intended as a convenience measure for "make disttest", that's all.The standard boilerplate 0-signature.t (as documented in Module::Signature's POD) has this opening:
Which satisfies the compulsory skip requirement via the environment variable TEST_SIGNATURE.if (!$ENV{TEST_SIGNATURE}) {
print "ok 1 # skip set the environment variable TEST_SIGNATURE to enable this test\n";
}Re:You miss the point
Alias on 2007-12-12T23:41:07
Do you think it's necessary to have its own TEST_SIGNATURE flag?
If the contexts in which it should be used are clear, perhaps it would be better to flag in on AUTOMATED_TESTING or a context-appropriate flag.
Re:Hallo Adam
Alias on 2007-12-13T23:12:27
Module::Signature is not necessary to release to CPAN.Re:Hallo Adam
sir_lichtkind on 2007-12-14T13:39:48
im not that experienced but P6bible has a signature file. to generate the new sigs i thought i need Module::Sig.Re:Hallo Adam
Alias on 2007-12-15T02:56:46
It's not strictly needed for you to release with a signature file, even if Audrey does.
This is especially so if you are in Windows, as the support for Module::Signature on Win32 is weak.