Beefy Boxes and Bandwidth Generously Provided by pair Networks Bob
Problems? Is your data what you think it is?
 
PerlMonks  

Re^4: Blatant security problem in certain CPAN module installs

by adrianh (Chancellor)
on May 03, 2004 at 14:00 UTC ( #350008=note: print w/ replies, xml ) Need Help??


in reply to Re: Re^2: Blatant security problem in certain CPAN module installs
in thread Blatant security problem in certain CPAN module installs

To add to what Abigail-II said, SIGNATURE files are not currently a good security system. As things stand now, it is unlikely that you have a sufficient web-of-trust to verify the author's key. It is thus very easy for man-in-the-middle attacks to work.

They're certainly not as good a mechanism as they could be with more support for them in the infrastructure - but I'd still argue they're an improvement over straight hashes.

Further, a lot of people don't check the signature until the automatic installation method has already done it for them (usually via a 001_signature.t test). This means the code has already started running by the time the signature is checked.

And that's foolish on their part. I don't do that.


Comment on Re^4: Blatant security problem in certain CPAN module installs

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://350008]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (8)
As of 2014-04-21 08:06 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (492 votes), past polls