Adam Kennedy wrote:
You should not add MYMETA.yml to the MANIFEST, it will NEVER ship to CPAN.
Remove the signature test.
...because its redundant, complicates testing, has little security value and
provides a false sense of security.
If a 3rd party has hijacked the tarball they can simply change the signature
test to always pass. In short, you're trusting the untrusted code to do a
self-diagnostic and tell you if you can trust it. Your CPAN shell will
already do a signature check.
--
Being faith-based doesn't trump reality.
-- Bruce Sterling
