oss-sec mailing list archives
Re: CVE-2013-2145: perl Module::Signature code execution vulnerability
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Wed, 05 Jun 2013 14:51:37 -0400
On 06/05/2013 02:24 PM, Russ Allbery wrote:
Speaking as a CPAN author, the second would be awesome. For bonus points, once one registers a key with CPAN, CPAN could then even check one's uploads and disallow uploads that aren't signed with the proper key.
As another CPAN contributor (though much less prolific than Russ), i
also think this would be great.
And wearing my hat as a member of the debian perl module packaging team,
i would be very happy to see this level of author-specific cryptographic
integrity checks when were updating packages from CPAN. I suspect we
have enough people interested in this within the debian pkg-perl to
build in automated checks against these certifications during debian
packaging as well.
Thanks for continuing to maintain such a great archive of useful, free code.
--dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- CVE-2013-2145: perl Module::Signature code execution vulnerability Vincent Danen (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Russ Allbery (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability 唐鳳 (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Daniel Kahn Gillmor (Jun 05)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Vincent Danen (Jun 11)
- Re: CVE-2013-2145: perl Module::Signature code execution vulnerability Russ Allbery (Jun 05)