module-build-general — General discussion about Module::Build project

[Module-build-general] Cryptographically signing distros

[Ken W. <ke...@ma...>]

Hi,

Andreas posted this message recently on p5p, it's relevant to 
Module::Build so I'm forwarding to the list.  I admit to not 
knowing too much about the matter, but I agree that something 
should be added.

It might be appropriate to include a digest as an item in the 
generated META.yaml file.  Andreas, would this fulfill the 
requirements you can think of?  You seem to indicate that each 
file in the distro needs to be signed independently - why is 
that?  Do people really need that kind of fine-grained signing?

  -Ken


------------------------- Forwarded 
message: ----------------------------------
To: Robin Berjon <ro...@kn...>
Cc: per...@pe...
Subject: Re: A though for 5.9: secure CPAN
Date: Mon, 05 Aug 2002 05:11:16 +0200
From: and...@an... (Andreas J. Koenig)


 >>>>> On Mon, 5 Aug 2002 02:11:14 +0200, Robin Berjon 
<ro...@kn...> said:

   > Hi,
   > I may have missed it due to a few busy days, but I think 
that the suggestion
   > Leon made at http://use.perl.org/~acme/journal/6887 was an 
interesting one.
   > This doesn't depend solely on Perl 5.9 (but also on PAUSE) 
but I think it may
   > be worth discussing given that MakeMaker could surely help 
and that there is
   > talk about CPANPLUS integration into the core.

The cited http://www.cryptnet.net/fdp/crypto/strong_distro.html is a
very valuable piece of advice. I dislike chapter 2.4. ("Conventions").
I consider detached signatures unnecessary impractical.

My stance on this is:

- make security optional
- integrate the security into the distribution

Both can and should be done without affecting PAUSE.

- The key is in MakeMaker/Module::Build.

The signature should be part of the distribution file and instead of
the .tar.gz file, a MANIFEST.digest or equivalent needs to be signed.
The perl equivalent of 'rpm --sign' would do the following:

- untar the package

- compute a MANIFEST.digest (can be YAML format containing MD5 digests
   for all contained files except for MANIFEST.digest itself, can
   alternatively be XML format containing SHA1 digests)

- sign the MANIFEST.digest

- tar and compress or zip it (all of .tar.gz, .zip, .tar.bz2, etc.
   would have identical content).

You do not need to convince any developer or user to produce/use that
MANIFEST.digest file. We do not require people to sign their work. We
need to make it convenient for both sides to add security.

--
andreas

[Module-build-general] Module::Build list inauguration

[Ken W. <ke...@ma...>]

Hello Module::Build list subscribers.

I thought I'd let you know what I've been up to on M::B development.

  1) I set up this mailing list (I suppose you've heard that already)

  2) I've added a couple features that will appear in the next 
release.  One is a programmatic interface to a module's 
prerequisite dependencies, which should help the CPANPLUS 
project.  Another is a pass-through Makefile.PL in the 
Module::Build distribution, which I believe to have only 
marginal benefit but it's been asked for several times.

  3) I'm trying to figure out the "proper" way to extract 
Module::Build from my personal CVS repository so I can put it on 
sourceforge.  Anyone know a good way to turn a directory from a 
CVS tree into its own repository, preserving the ability to see 
history information?  I thought it might be "cvs import", but 
apparently I don't understand what that means.

Version 0.11 should be out before too long.

  -Ken