https://bugzilla.redhat.com/show_bug.cgi?id=2035341 --- Comment #5 from Tomas Hoger <thoger@xxxxxxxxxx> --- Upstream fixes linked in comment 2 do not completely address all issues - they still make it possible to include crafted $cksum data before the signed content of the CHECKSUMS file and have that accepted by App::cpanminus. This problem was reported upstream via: https://github.com/miyagawa/cpanminus/issues/639 Upstream responded that their decision was to not fix and rather remove signature verification completely: https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8992ba04b925e -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2035341 _______________________________________________ perl-devel mailing list -- perl-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to perl-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/perl-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
