> downloading CPAN content roughly to: > internet connection to not muck with the code you receive. > > Obviously the real fix here is that clients need to request via TLS (since I > doubt any clients other than regular browsers support HSTS).
I was under the impression that any "code" ( eg: content submitted via pause ) had an existing, long standing additional cryptographic security on top of plain text, namely: - Per author CHECKSUM files - Which are signed by the PAUSE GPG key http://cpan.metacpan.org/authors/id/K/KE/KENTNL/CHECKSUMS And I've been using that feature via my CPAN client for years now. ( I notice occasionally when the checksum files are broken ) I'm fine with allowing there to be additional security mechanisms, its just *requiring* uses engage in security mechanisms when there's no *need* to nor *desire* to on the users behalf I consider potentially harmful. Is there other content coming from the CPAN network that I'm not considering here? -- Kent KENTNL - https://metacpan.org/author/KENTNL