On Thu, 11 May 2006 18:25:03 +1000, Adam Kennedy wrote: > Overall, I think (and some others agree) that Module::Signature has > reached the point where it is causing more harm than good. > > Any improvement in security is dwarfed by the problems it is causing for > many people and modules. > > The core toolchain is supposed to be highly robust and install > painlessly in most environment. > > I'd like people's thoughts on "resting" Module::Signature for a while, > until suitable maintainers can be found and the major set of critical > bugs have been resolved. > > This would probably mean disabling it by default in CPAN.pm, removing > the nag warnings, and removing it from Bundle::CPAN.
Thank you. I am doing some enterprise builds of 5.8.8 and Module::Signature caused some problems for me even when I told it to forget the crypto. Since then I decided to ignore it and therefore Bundle::CPAN, which goes against my usual recommendations. Here are extracts from that build process: What do you want me to do? [...] 3) Forget this cryptographic signature stuff for now. Your choice: [3] 3 [...] [Sign and verify PAR (Perl Archive) files] - PAR::Dist ...missing. ==> Auto-install the 1 optional module(s) from CPAN? [y] y [...] /opt/bin/perl5.8.8 -Iinc Makefile.PL --config=-default,0 --installdeps=PAR::Dist,0 *** Looking for GnuPG (GNU Privacy Guard, a cryptographic signature tool)... GnugPG not found anywhere in your PATH, eek. [...] What do you want me to do? [...] 3) Forget this cryptographic signature stuff for now. Your choice: [3] *** Installing PAR::Dist... [...] *** PAR::Dist successfully installed. [...] Running make test /opt/bin/perl5.8.8 -Iinc Makefile.PL --config=-default,0 --installdeps=PAR::Dist,0 *** Looking for GnuPG (GNU Privacy Guard, a cryptographic signature tool)... GnugPG not found anywhere in your PATH, eek. [...] What do you want me to do? [...] 3) Forget this cryptographic signature stuff for now. Your choice: [3] PERL_DL_NONLAZY=1 /opt/bin/perl5.8.8 "-MExtUtils::Command::MM" "-e" "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/0-signature.t t/1-basic.t t/0-signature....Can't exec "gpg": No such file or directory at /opt/.cpan/build/Module-Signature-0.53/blib/lib/Module/Signature.pm line 134. Use of uninitialized value in pattern match (m//) at /opt/.cpan/build/Module-Signature-0.53/blib/lib/Module/Signature.pm line 134. Cannot use GnuPG or Crypt::OpenPGP, please install either one first! [...] Running make install /opt/bin/perl5.8.8 -Iinc Makefile.PL --config=-default,0 --installdeps=PAR::Dist,0 *** Looking for GnuPG (GNU Privacy Guard, a cryptographic signature tool)... GnugPG not found anywhere in your PATH, eek. [...] What do you want me to do? [...] 3) Forget this cryptographic signature stuff for now. Your choice: [3] Then it went on to install Module::Signature. Yep, it asked me four times whether I wanted it to install a GPG. I decided I didn't want the high pressure sales pitch the next time :-) -- Peter Scott
