Secure CPAN

acme on 2002-08-04T17:39:39

Occasionally I make noises about the fact that CPAN is so insecure and that maybe we should throw digital signatures at it. Well, crypto is tricky, but I came across the Strong Distribution HOWTO which explains what is needed. Infrastructure. A pure-perl openpgp implementation (luckily we have Crypt::OpenPGP, which looks good). Lots of keys and keysigning (there are a lot of CPAN authors and we'd have to convince each of them to use crypto and sign their distributions, arrrggh). Basically a lot of work for a system where people still do "perl Makefile.PL", "make" and "make test" as root. Interesting though...


Is there an archive

hfb on 2002-08-04T18:07:55

somewhere where this is actually being used and being used successfully currently?

Re:Is there an archive

Matts on 2002-08-04T20:42:44

Does it matter much? It shouldn't take much more infrastructure to support storing PGP signatures of each upload - should "just work". And then it just requires a modification to CPANPLUS - Jos said that wouldn't be much work.

Of course there's probably lots I'm not thinking of.

Re:Is there an archive

darobin on 2002-08-05T00:03:47

Not much of a change indeed, except that for better spreadability still a change to MakeMaker might help (in case people aren't using CPANPLUS). I'm not a security freak, but I've always been amazed that no exploit (that I know of) has managed to make its way through CPAN, and I'm totally in favour of requiring all CPAN authors to provide public keys. After that making "make dist" auto-require a signature wouldn't be too hard.

The additional bonuses appear in the fact that modules could be recommended by CPAN authors so that depending on who one trusts one would get different recommendations, and so forth. In short, we could make CPAN a helping member in the Web of Trust, thus showcasing Perl as secure technology.

Re:Is there an archive

echo on 2002-08-14T13:31:16

But having signed distros isn't enough. Why would I trust Foo's signature? PGP is cool but it requires establishing a web of trust. Here and there people seem to understand that, but actually getting them to exchange key signatures is another story--while at OSCON I could get only one guy to sign my key. Until we actively sign each other's keys when we physically meet, this will remain a pipe dream.

Re:Is there an archive

hfb on 2002-08-05T01:57:37

Well, I'd be interested to see if other archives like CTAN, etc. have ever attempted it or are actually doing this. Sun has the solaris fingerprint database which was started, as I recall, by Casper Dik. PKI is inherently flawed and the 'web of trust' is only as trustworthy as the weakest link and, with over 1600 authors, there exists a great potential for poor key management and system administration. I just don't see how this method would greatly improve upon the current method.

Re:Is there an archive

IlyaM on 2002-08-19T17:40:55

I think Debian have it. All Debian packages are signed using packager's GPG key and all GPG keys are in the web of trust. There are quite strict procedure you need to pass to become packager and have your key signed by another packager. It is described in this document. This is to ensure that your key does represent you.

Not sure that CPAN needs to follow simular procedure of new CPAN authors registration but since you have asked...