If we decided to make a big awareness push, we’d probably get
the prolific CPAN contributors covered well very quickly, and
then it’s a matter of continual evangelism to keep the web
expanding.
Sounds great, but speaking as one of the aformentioned "prolific CPAN
constributors" there's no way in hell I'm moving to any form of
signatures until someone shows me a fully-cross-platform, low-impact,
never-breaks, doesn't-require-the-internet implementation of the web of
trust concept.
In real code, not just design concept.
Because the current implementation of Module::Signature, although a
reasonably nice proof of concept, is not holding up under "battle
conditions" and is being disabled for the time being.
My biggest criticism of every attempt I've seen at adding more security
is that it reduces utility. And since we've NEVER (yet) had a security
violation that I'm aware of, the net result is we just sacrifice utility
for potential security gain.
On the other hand, give me an easy to use, works _everywhere_, never
fails falsely positive or negative, never crashes, low-dependency
security enhancement to CPAN clients that I never have to think about,
then I'm in and I'll do anything you want.
Adam K
