Re: What's the point of a SIGNATURE test?

On 11 Dec 2007, at 05:12, Michael G Schwern wrote:

> Adam Kennedy posed me a stumper on #toolchain tonight.  In short,  
> having a
> test which checks your signature doesn't appear to be an actual  
> deterrent to
> tampering.  The man-in-the-middle can just delete the test, or just  
> the
> SIGNATURE file since it's not required.  So why ship a signature test?
>
> The only thing I can think of is to ensure the author that the  
> signature
> they're about to ship is valid, but that's not something that needs  
> to be shipped.
[snip]

It is something that needs to be shipped if you have the "CPAN is the  
definitive version of a module. Somebody can fork from it" attitude.

It certainly doesn't have to run though...

Adrian

• What's the point of a SIGNATURE test? by Michael G Schwern
• Re: What's the point of a SIGNATURE test? by andreas.koenig.7os6VVqR
• Re: redundant and/or incorrect tests by Eric Wilhelm
• Re: What's the point of a SIGNATURE test? by Michael G Schwern
• Re: What's the point of a SIGNATURE test? by andreas.koenig.7os6VVqR
• Re: What's the point of a SIGNATURE test? by Michael G Schwern
• Re: What's the point of a SIGNATURE test? by chromatic
• Re: What's the point of a SIGNATURE test? by A. Pagaltzis
• Re: What's the point of a SIGNATURE test? by andreas.koenig.7os6VVqR
• Re: What's the point of a SIGNATURE test? by Matisse Enzer
• Re: What's the point of a SIGNATURE test? by Michael G Schwern
• Re: What's the point of a SIGNATURE test? by Adrian Howard
• Re: What's the point of a SIGNATURE test? by Michael G Schwern