in reply to
Re: Blatant security problem in certain CPAN module installs
in thread Blatant security problem in certain CPAN module installs
The SIGNATURE is basically only used to verify there are no transmit errors. Using it for any form of verification or accountability only gives one a false sense of security, which is worse than no sense of security, IMO.
That argument gets tossed around a lot and it's simply not true. The SIGNATURE file is used to ensure that the person who uploaded a file is one whom you trust. PGP is not MD5.