All the Perl that's Practical to Extract and Report

Keysigning at TPC

ziggy on 2002-07-11T20:45:41

acme's journal entry about gentoo touches on digital signatures for CPAN modules.

That got me thinking: anyone interested in a keysigning bof at TPC? It's probably the best opportunity we have as a community to meet face to face for such a thing...

Explain

petdance on 2002-07-11T20:51:32

Can someone please explain keysigning? We're talking about swapping PGP/GPG keys in some form, right? Why is that a fun thing to do?

I must be overly sheltered or something.

Re:Explain

ziggy on 2002-07-11T21:12:06

Can someone please explain keysigning? We're talking about swapping PGP/GPG keys in some form, right?
Yep.
Why is that a fun thing to do?
Cryptogeeks and starry-eyed geeks might find this a fun thing to do. I see it as more of a way for creating a foundation for a "web of trust" around CPAN.

Re:Explain

pudge on 2002-07-16T03:47:29

FWIW, I personally don't find significance in face-to-face keysigning over doing it online.

keysigning ++

ask on 2002-07-12T01:09:55


yes, I think it's a good idea. However, we have talked about it just about every year... :-)

Re:keysigning ++

acme on 2002-07-13T09:42:06

This brings up the fact that we talk a lot about CPAN changes every year at every conference I have been to. All the ideas just die as soon as everyone gets home. I think this is a prime example of JFDI. Trying to bundle every module on CPAN for Gentoo has certainly given me an eye for some things that could be changed to make things easier, and I think that rather than trying to set up a project and get people to try and make the change, I might do it from the bottom up instead, mailing all the module maintainers. More details when I have an idea of what I actually want to do ;-)

Re:keysigning ++

hfb on 2002-07-13T23:44:10

I've mentioned frequently that any major change in much of what people find objectionable on CPAN will come only from the 1500 or so registered CPAN authors, not from some authoritarian rules or enforced QA. I write authors now and then when I see something and the testers do an admirable job doing the same. Every little bit helps...or so I like to hope. I'll be very interested in seeing what you come up with.

As far as the keysigning goes, it's an old idea and, I suspect, one whose time has not yet come. Signature verification would need to be built into tools to make the job trouble free. Andreas and Jarkko both convinced me that while it seems like a good idea, it is one that merely adds a layer of complexity without any real assurance, any more than the MD5 checksum, provides. I know that Andreas mentioned at one point a plan to have CPAN.pm check 3 random mirrors for checksums instead of just one a while back but I don't think that was ever done either. It is a widely distrubuted ftp/http public mirror and while signing distributions may assuage fears of abuse, it would simply piss a lot of people off considering how few can find the download button on CPAN much less verify a PGP signature. It won't keep the determined from causing problems, e.g. some guy uploads a real module, it becomes popular, people trust the author and signature, author then releases malicious code with a valid signature; or hacker gets authors computer, uploads malicious code with correct signature; etc.

On the web/internet, the smart trust noone. :)