develooper Front page | perl.perl5.porters | Postings from July 2003

[PATCH CPAN.pm] unlink pre-PGP-signed CHECKSUM

From:
Autrijus Tang
Date:
July 28, 2003 18:58
Subject:
[PATCH CPAN.pm] unlink pre-PGP-signed CHECKSUM
Message ID:
20030729015834.GA7149@not.autrijus.org
This patch handles the case for users that:

    - used CPAN.pm to install modules from $some_author
      before 2003-02-06 (the CHECKSUM Signing Day), 
    - and later upgraded CPAN.pm to 1.74
    - but $some_author never uploaded anything since 20030206
    - resulting in a valid, but not signed, CHECKSUM
    - and hence utterly breaking the PGP check

Thanks to Randal Schwartz for helping me to figure it out.

Cheers,
/Autrijus/

--- lib/CPAN.pm.orig	Tue Jul 29 09:42:37 2003
+++ lib/CPAN.pm	Tue Jul 29 09:44:02 2003
@@ -4248,6 +4248,14 @@
     $lc_want =
 	File::Spec->catfile($CPAN::Config->{keep_source_where},
 			    "authors", "id", @local);
+
+    my $fh = FileHandle->new;
+    if (open($fh, $lc_want)){
+	# purge and refetch old (pre-PGP) CHECKSUMS; they are a security hazard
+	my $line = <$fh>; close $fh;
+	unlink($lc_want) unless $line =~ /PGP/;
+    }
+
     local($") = "/";
     if (
 	-s $lc_want



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About