>>>>> On Mon, 10 Dec 2007 21:12:51 -0800, Michael G Schwern <[EMAIL PROTECTED]> >>>>> said:
> Adam Kennedy posed me a stumper on #toolchain tonight. In short, having a > test which checks your signature doesn't appear to be an actual deterrent to > tampering. The man-in-the-middle can just delete the test, or just the > SIGNATURE file since it's not required. So why ship a signature test? Asking the wrong question. None of our testsuites is there to protect against spoof or attacks. That's simply not the goal. Same thing for 00-signature.t > The only thing I can think of is to ensure the author that the signature > they're about to ship is valid, but that's not something that needs to be shipped. Has the world changed over night? Are we now questioning tests instead of encouraging them? Do now suddenly authors have to justify their testing efforts? I don't mind if we set up a few rules what tests should and should not do, but then this topic needs to be put into perspective. > It appears that a combination of a CHECKSUMS check against another CPAN mirror > and a SIGNATURE check by a utility external to the code being checked is > effective, and that's what the CPAN shell does. The CHECKSUMS check makes > sure the distribution hasn't been tampered with. Checking against a CPAN > mirror other than the one you downloaded the distribution from checks that the > mirror has not been compromised. Checking the SIGNATURE ensures that the > module is from who you think its from. Yupp. And testing the signature in a test is better than not testing it because a bug in a signature or in crypto software is as alarming as a bug in perl or a module. > <adam> Schwern: What's the deal with adding 00-signature.t to Test::More? > What's it supposed to achieve? > <Schwern> Checks that the files patch the author's signature > <Schwern> s/patch/match/ > <adam> To what end? > <adam> Is it an anti-tamper thing? Nope. > <Schwern> Well, if it fails then your files are not what the author uploaded Or something else failed. > <Schwern> Yep > <Schwern> It's semi-redundant with the CPAN shells as they should already be > making that check > <adam> So... if I was tampering with your module, wouldn't deleting the test > script be the first thing I did? > <Schwern> You can do that, but there are other things which do a signature check > <adam> So basically, 00-signature.t as a concept is 1) Exploitable 2) > Redundant 3) A source of spurious failures Exploitable is everything, starting with Makefile.PL Redundant are most of all tests all the time. If it is a source of spurious failures, it's time to fix the failures. > <Schwern> How is it exploitable? > <adam> I just delete the test script > <Schwern> That's not exactly an exploit > <adam> Why not? > <Schwern> This is getting into semantics, but an exploit implies that you do > something with it, not just diable it. > <Schwern> disable > <adam> Granted, it's a trivial exploit > <Schwern> However, I see your point I don't. > <adam> They also tend to be a source of test failures > <adam> Because the crypto chain is horrid > <adam> Can I recommend removing all of them? I don't think this is a good idea. > <adam> Just let the CPAN client take care of it? > <adam> For example, looks like Test::More won't install on Windows if you > have gpg installed? > <adam> (And Module::Signature) It's really bad if there is a class of tests that fail on a platform. But discouraging tests because of that is to put the cart before the horse. -- andreas
