This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id:
39243
Status:
open
Priority:
Low/Low
Queue:

People
Owner:
Nobody in particular
Requestors:
mschwern [...] cpan.org
Cc:
AdminCc:

BugTracker
Severity:
Normal
Broken in:
1.9205
Fixed in:
(no value)



Subject: Remove signature test?
I went to go install a new version of CPAN on a fresh 5.8.8. When I ran the tests I got... t/00signature.......1/1 Unknown cipher: SHA1, please install Digest::SHA, Digest::SHA1, or Digest::SHA::PurePerl ==> UNKNOWN Cipher format! <== It's annoying that I have to install a module to upgrade the module installer. Could that signature test be removed? It doesn't serve any purpose as the SIGNATURE file could have just as easily been replaced by a man-in-the-middle. That or put in an exception for CIPHER_UNKNOWN and CANNOT_VERIFY. Thanks.
Subject: Re: [rt.cpan.org #39243] Remove signature test?
Date: Sun, 14 Sep 2008 10:14:47 +0200
To: bug-CPAN@rt.cpan.org
From: andreas.koenig.7os6VVqR@franz.ak.mind.de (Andreas J. Koenig)
Show quoted text
>>>>> On Sat, 13 Sep 2008 05:18:44 -0400, "Michael G Schwern via RT" <bug-CPAN@rt.cpan.org> said:
Show quoted text
> I went to go install a new version of CPAN on a fresh 5.8.8. When I ran > the tests I got...
Show quoted text
> t/00signature.......1/1 Unknown cipher: SHA1, please install > Digest::SHA, Digest::SHA1, or Digest::SHA::PurePerl > ==> UNKNOWN Cipher format! <==
Oops, I never saw this one before.
Show quoted text
> It's annoying that I have to install a module to upgrade the module > installer.
Agree.
Show quoted text
> Could that signature test be removed? It doesn't serve any purpose as > the SIGNATURE file could have just as easily been replaced by a > man-in-the-middle.
If you want to argue about security, please make it a separate ticket.
Show quoted text
> That or put in an exception for CIPHER_UNKNOWN and > CANNOT_VERIFY.
I think I do a skip if one of the three mentioned modules isn't installed. [time passes] DONE. Will be in 1.92_65 -- andreas
Subject: Re: [rt.cpan.org #39243] Remove signature test?
Date: Sun, 14 Sep 2008 15:07:00 -0700
To: bug-CPAN@rt.cpan.org
From: Michael G Schwern <schwern@pobox.com>
(Andreas J. Koenig) via RT wrote:
Show quoted text
> > Could that signature test be removed? It doesn't serve any purpose as > > the SIGNATURE file could have just as easily been replaced by a > > man-in-the-middle.
> > If you want to argue about security, please make it a separate ticket.
I reference this discussion... http://www.nntp.perl.org/group/perl.qa/2007/12/msg9902.html ...but I see we already went through this before. Ok.
Show quoted text
> > That or put in an exception for CIPHER_UNKNOWN and > > CANNOT_VERIFY.
> > I think I do a skip if one of the three mentioned modules isn't > installed. [time passes] DONE. Will be in 1.92_65
Thanks. I recommend using the constants instead to protect against future changes to the guts of Module::Signature or future ciphers. PS I think the above happened because I had a 64 bit perl install looking at a 32 bit site-perl. So it thought it had modules installed but they wouldn't actually load. -- Life is like a sewer - what you get out of it depends on what you put into it. - Tom Lehrer


This service runs on Request Tracker, is sponsored by The Perl Foundation, and maintained by Best Practical Solutions.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.