Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 05 Jun 2013 14:51:37 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
CC: Russ Allbery <rra@...nford.edu>, audreyt@...reyt.org
Subject: Re: CVE-2013-2145: perl Module::Signature code execution
 vulnerability

On 06/05/2013 02:24 PM, Russ Allbery wrote:

> Speaking as a CPAN author, the second would be awesome.  For bonus points,
> once one registers a key with CPAN, CPAN could then even check one's
> uploads and disallow uploads that aren't signed with the proper key.

As another CPAN contributor (though much less prolific than Russ), i
also think this would be great.

And wearing my hat as a member of the debian perl module packaging team,
i would be very happy to see this level of author-specific cryptographic
integrity checks when were updating packages from CPAN.  I suspect we
have enough people interested in this within the debian pkg-perl to
build in automated checks against these certifications during debian
packaging as well.

Thanks for continuing to maintain such a great archive of useful, free code.

	--dkg



Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.