# -*- Mode: cperl; coding: utf-8; cperl-indent-level: 4 -*-
package CPAN;
-$VERSION = '1.72';
-# $Id: CPAN.pm,v 1.407 2003/07/27 16:07:39 k Exp $
+$VERSION = '1.75_02';
+# $Id: CPAN.pm,v 1.409 2003/07/28 22:07:23 k Exp $
# only used during development:
$Revision = "";
-# $Revision = "[".substr(q$Revision: 1.407 $, 10)."]";
+# $Revision = "[".substr(q$Revision: 1.409 $, 10)."]";
use Carp ();
use Config ();
});
sleep 2;
} elsif ($mod eq "Module::Signature"){
- $CPAN::Frontend->myprint(qq{
+ unless ($Have_warned->{"Module::Signature"}++) {
+ # No point in complaining unless the user can
+ # reasonably install and use it.
+ if (eval { require Crypt::OpenPGP; 1 } ||
+ defined $CPAN::Config->{'gpg'}) {
+ $CPAN::Frontend->myprint(qq{
CPAN: Module::Signature security checks disabled because Module::Signature
not installed. Please consider installing the Module::Signature module.
+ You also need to be able to connect over the Internet to the public
+ keyservers like pgp.mit.edu (port 11371).
-});
- sleep 2;
+})
+ sleep 2;
+ }
+ }
} else {
delete $INC{$file}; # if it inc'd LWP but failed during, say, URI
}
my $lc_want =
File::Spec->catfile($CPAN::Config->{keep_source_where},
"authors", "id", @$chksumfile);
+
+ my $fh;
+
+ # Purge and refetch old (pre-PGP) CHECKSUMS; they are a security
+ # hazard. (Without GPG installed they are not that much better,
+ # though.)
+ $fh = FileHandle->new;
+ if (open($fh, $lc_want)) {
+ my $line = <$fh>; close $fh;
+ unlink($lc_want) unless $line =~ /PGP/;
+ }
+
local($") = "/";
# connect "force" argument with "index_expire".
my $force = 0;
}
# adapted from CPAN::Distribution::MD5_check_file ;
- my $fh = FileHandle->new;
+ $fh = FileHandle->new;
my($cksum);
if (open $fh, $lc_file){
local($/);
Your mileage may vary...
+=head1 Cryptographically signed modules
+
+Since release 1.72 CPAN.pm has been able to verify cryptographically
+signed module distributions using Module::Signature. The CPAN modules
+can be signed by their authors, thus giving more security. The simple
+unsigned MD5 checksums that were used before by CPAN protect mainly
+against accidental file corruption.
+
+You will need to have Module::Signature installed, which in turn
+requires that you have at least one of Crypt::OpenPGP module or the
+command-line F<gpg> tool installed.
+
+You will also need to be able to connect over the Internet to the public
+keyservers, like pgp.mit.edu, and their port 11731 (the HKP protocol).
+
=head1 FAQ
=over 4
projects / p5sagit/p5-mst-13.2.git / blobdiff