Andreas J. Koenig wrote:
> ...because its redundant, complicates testing, has little security
> value and provides a false sense of security.
> If a 3rd party has hijacked the tarball they can simply change the
> signature test to always pass. In short, you're trusting the
> untrusted code to do a self-diagnostic and tell you if you can trust
> it. Your CPAN shell will already do a signature check.
None of the above is a reason to tell people to drop a test. While I
don't know what the bug is that the OP asked about it is no solution to
suggest dropping a test. Next time you suggest to drop all tests, right?
Oh, yes, maybe this is the solution to all testing problems.
Don't get so excited. Reread what's being discussed. This is a "test" that's
running a check of the SIGNATURE file.
The signature test isn't really a test. Its not testing that the code does
its job, its testing that it passes its signature. Its not a functionality
test, its a security measure, and doesn't really belong in the test suite. At
best its an author check of the integrity of the distribution not to be
distributed. But even that's of low value, because its just checking that a
3rd party tool did its job... but its doing it wrong and creating a false bug.
Don't get dogmatic about testing. Tests exist to catch bugs. If a test isn't
doing that then at best its dead weight. At worst its a false failure and a
maintenance hassle. You only have so much time to spend working on tests,
choose where you're going to spend it wisely.
BTW Eric, I didn't notice that Module::Signature was complaining about
MYMETA.yml not being in the MANIFEST. I puzzled out why its doing that.
Module::Signature appears to assume that anything in the directory at the
point of "build test" is going to be either A) in the MANIFEST or B) refuted
by the MANIFEST.SKIP. Kind of a dodgy assumption, given the build step throws
files all over, but it totally breaks down if you don't ship a MANIFEST.SKIP
and your code is doing something not expected by the default MANIFEST.SKIP...
like making a MYMETA.yml file.
--
91. I am not authorized to initiate Jihad.
-- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army
http://skippyslist.com/list/
