PERL Modules - Are CPAN and PAUSE trusted?

Author

Are CPAN and PAUSE trusted?

Ilya Zakharevich

2006-05-13, 3:57 am

[A complimentary Cc of this posting was sent to
Eric R. Meyers
<ermeyers@adelphia.net>], who wrote in article <FYSdneLXENKDEfjZRVn-uA@adelphia.com>:
> ========================================
==================================
> There are a lot of modules in CPAN that don't have SIGNATURE files, and if
> they do, a lot of them don't have Trusted signatures, if even good ones.
> I'm available to help authors with correcting this issue. Well not
> completely correcting, but just improving things a little bit, one CPAN
> author at a time.

First, get CPAN and PAUSE authenticated through a "trusted" root.

Second, allow a way for CPAN authors to authenticate THROUGH the CPAN
certificate. (I.e., make PAUSE to issue certificates to all the authors.)

IM[uneducated]O, only after these steps a cooperation of authors may be saught.

Hope thie helps,
Ilya

Eric R. Meyers

2006-05-13, 6:57 pm

Eric R. Meyers

2006-05-13, 6:57 pm

Ilya Zakharevich wrote:

> [A complimentary Cc of this posting was sent to
> Eric R. Meyers
> <ermeyers@adelphia.net>], who wrote in article
> <FYSdneLXENKDEfjZRVn-uA@adelphia.com>:
========================================
==================================[color
=darkred]
>
> First, get CPAN and PAUSE authenticated through a "trusted" root.
>
> Second, allow a way for CPAN authors to authenticate THROUGH the CPAN
> certificate. (I.e., make PAUSE to issue certificates to all the authors.)
>
> IM[uneducated]0, only after these steps a cooperation of authors may be
> saught.
>
> Hope thie helps,
> Ilya

This is off the top of my head, so someone please check if I did this right.

I'm just recently educated, so I know what you're facing. I found that the
biggest problem is probably that a person generated the own keys using

gpg --gen-key

gpg --keyserver hkp://subkeys.pgp.net --send-keys [name]

gpg --armor --export [name] | tee YOURAUTHORID2006.pub

as their normal user self (as username) which will have ultimate trust set
in there keyring for their key. But you usually need to be root when
installing CPAN modules via cpan or cpanplus, so that you have the write
permissions for /usr/lib/perl5. And, likewise you need to be root to do the
'make install' for your distribution development.

You need to load your root's /root/.gnupg/ keyring databases with your
public key, and then set the trust value to 'ultimate' trust, of course:

as root:

gpg --import ~username/YOURAUTHORID2006.pub

gpg --edit-key [name]
Command> trust
Comanmd> q

now your root trust's you too, but root will now eventually also make make a
SIGNATURE via 'cpansign -s' for you CPAN distribution.

in both ~username/.gnupg/gpg.conf and /root/.gnupg/gpg.conf find and do:

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013
default-key 83CE80A3 <-- this is my public key id, use your own public keyid

# If you do not pass a recipient to gpg, it will ask for one. Using
# this option you can encrypt to a default key. Key validation will
# not be done in this case. The second form uses the default key as
# default recipient.

#default-recipient some-user-id
default-recipient-self

Let me know, if you have questions.

Here's the ERMEYERS2005.pub, save it to file and 'gpg --import
ERMEYERS2005.pub'; and don't worry, you don't have to trust me, unless you
'gpg --edit-key ermeyers', Command> trust, Command> q.

http://search.cpan.org/src/ERMEYERS...RMEYERS2005.pub

Here's the PAUSE2003.pub, save it to file and 'gpg --import PAUSE2003.pub'.

http://search.cpan.org/src/ERMEYERS...s/PAUSE2003.pub

Sponsored Links