Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re^4: Blatant security problem in certain CPAN module installs

by adrianh (Chancellor)
on May 03, 2004 at 14:00 UTC ( #350008=note: print w/ replies, xml ) Need Help??


in reply to Re: Re^2: Blatant security problem in certain CPAN module installs
in thread Blatant security problem in certain CPAN module installs

To add to what Abigail-II said, SIGNATURE files are not currently a good security system. As things stand now, it is unlikely that you have a sufficient web-of-trust to verify the author's key. It is thus very easy for man-in-the-middle attacks to work.

They're certainly not as good a mechanism as they could be with more support for them in the infrastructure - but I'd still argue they're an improvement over straight hashes.

Further, a lot of people don't check the signature until the automatic installation method has already done it for them (usually via a 001_signature.t test). This means the code has already started running by the time the signature is checked.

And that's foolish on their part. I don't do that.


Comment on Re^4: Blatant security problem in certain CPAN module installs

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://350008]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (6)
As of 2015-07-05 22:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (68 votes), past polls