Hi gang
I've been seeing some problems with Module::Signature for a while, and I
notice from the following that it's starting to become a problem for
other people as well.
http://cpanratings.perl.org/dist/Module-Signature
Addition problems include the lack of pgp|gpg on Windows, which creates
an enormous dependency chain (15-30 modules) of security modules many of
which have platform problems or overly flexible installers, making it
nearly impossible to install without forcing default options.
install Bundle::CPAN
...
"Would you like to enable PEM support?"
...
(repeat for up to a dozen other security questions)
On top of this, Module::Signature has a high bug count, many of which
are serious and old.
http://rt.cpan.org/Public/Dist/Display.html?Name=Module-Signature
I've done a small amount of work myself on the Makefile.PL but anything
else is beyond my skillset and time availability.
Audrey is obviously fully involved in pugs/Perl 6 is does not have time
to spend on it, and I've been unable to locate a maintainer with enough
time to deal with the problems.
Overall, I think (and some others agree) that Module::Signature has
reached the point where it is causing more harm than good.
Any improvement in security is dwarfed by the problems it is causing for
many people and modules.
The core toolchain is supposed to be highly robust and install
painlessly in most environment.
I'd like people's thoughts on "resting" Module::Signature for a while,
until suitable maintainers can be found and the major set of critical
bugs have been resolved.
This would probably mean disabling it by default in CPAN.pm, removing
the nag warnings, and removing it from Bundle::CPAN.
Would this cause any "showstopper" problems beyond just personal
preferences or inconveniences.
Thanks for your time
Adam K
