Authors -- Trusted Signature help available

am 13.05.2006 09:34:54 von ermeyers

============================================================ ==============
There are a lot of modules in CPAN that don't have SIGNATURE files, and if
they do, a lot of them don't have Trusted signatures, if even good ones.
I'm available to help authors with correcting this issue. Well not
completely correcting, but just improving things a little bit, one CPAN
author at a time.
============================================================ ==============

I've started a project with what I've called the Bundle::Modules suite, in
which I'm going to separate the stable modules from the unstable modules in
all of CPAN, but at the same time I'm offering to help, and also asking for
help to identify the crappy unstable modules in CPAN to get them out of the
way of all of us getting to the good stable stuff ASAP, when trying to
download a bundle of modules. I've got all 38,554 of CPAN modules that are
currently listed.

Feel free to contact me with the good or the bad that you find out there,
because I'll use all the information that I can get from others. Hey, it's
better than all of those spam emails about my winning the Nigerian Lottery.

If you browse the source for Bundle::Modules, I think that you be glad that
you stopped by to see the Module::Build oriented scripts I have in
development. I stole from the best examples that I could find in CPAN, and
synthesized my own to reach my goal.

Another thing that I'll openly request is that you send me your armored
public keys as file attachments, and I'll incorporate them to help the user
load all of the author keys into their key rings. I'm currently also
working on a program to collect all of the keys automatically for us, and
import them, so that you are playing in the Trusted SIGNATURE game.

Are CPAN and PAUSE trusted?

am 13.05.2006 11:37:38 von Ilya Zakharevich

[A complimentary Cc of this posting was sent to
Eric R. Meyers
], who wrote in article :
> ============================================================ ==============
> There are a lot of modules in CPAN that don't have SIGNATURE files, and if
> they do, a lot of them don't have Trusted signatures, if even good ones.
> I'm available to help authors with correcting this issue. Well not
> completely correcting, but just improving things a little bit, one CPAN
> author at a time.

First, get CPAN and PAUSE authenticated through a "trusted" root.

Second, allow a way for CPAN authors to authenticate THROUGH the CPAN
certificate. (I.e., make PAUSE to issue certificates to all the authors.)

IM[uneducated]O, only after these steps a cooperation of authors may be saught.

Hope thie helps,
Ilya

Re: Are CPAN and PAUSE trusted?

am 13.05.2006 17:15:30 von ermeyers

Re: Are CPAN and PAUSE trusted?

am 13.05.2006 17:23:04 von ermeyers

Ilya Zakharevich wrote:

> [A complimentary Cc of this posting was sent to
> Eric R. Meyers
> ], who wrote in article
> :
>>
============================================================ ==============
>> There are a lot of modules in CPAN that don't have SIGNATURE files, and
>> if they do, a lot of them don't have Trusted signatures, if even good
>> ones.
>> I'm available to help authors with correcting this issue. Well not
>> completely correcting, but just improving things a little bit, one CPAN
>> author at a time.
>
> First, get CPAN and PAUSE authenticated through a "trusted" root.
>
> Second, allow a way for CPAN authors to authenticate THROUGH the CPAN
> certificate. (I.e., make PAUSE to issue certificates to all the authors.)
>
> IM[uneducated]0, only after these steps a cooperation of authors may be
> saught.
>
> Hope thie helps,
> Ilya

This is off the top of my head, so someone please check if I did this right.

I'm just recently educated, so I know what you're facing. I found that the
biggest problem is probably that a person generated the own keys using

gpg --gen-key

gpg --keyserver hkp://subkeys.pgp.net --send-keys [name]

gpg --armor --export [name] | tee YOURAUTHORID2006.pub

as their normal user self (as username) which will have ultimate trust set
in there keyring for their key. But you usually need to be root when
installing CPAN modules via cpan or cpanplus, so that you have the write
permissions for /usr/lib/perl5. And, likewise you need to be root to do the
'make install' for your distribution development.

You need to load your root's /root/.gnupg/ keyring databases with your
public key, and then set the trust value to 'ultimate' trust, of course:

as root:

gpg --import ~username/YOURAUTHORID2006.pub

gpg --edit-key [name]
Command> trust
Comanmd> q

now your root trust's you too, but root will now eventually also make make a
SIGNATURE via 'cpansign -s' for you CPAN distribution.

in both ~username/.gnupg/gpg.conf and /root/.gnupg/gpg.conf find and do:

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013
default-key 83CE80A3 <-- this is my public key id, use your own public keyid

# If you do not pass a recipient to gpg, it will ask for one. Using
# this option you can encrypt to a default key. Key validation will
# not be done in this case. The second form uses the default key as
# default recipient.

#default-recipient some-user-id
default-recipient-self

Let me know, if you have questions.

Here's the ERMEYERS2005.pub, save it to file and 'gpg --import
ERMEYERS2005.pub'; and don't worry, you don't have to trust me, unless you
'gpg --edit-key ermeyers', Command> trust, Command> q.

http://search.cpan.org/src/ERMEYERS/Bundle-Modules-2006.0512 /public_keys/ERMEYERS2005.pub

Here's the PAUSE2003.pub, save it to file and 'gpg --import PAUSE2003.pub'.

http://search.cpan.org/src/ERMEYERS/Bundle-Modules-2006.0512 /public_keys/PAUSE2003.pub