https://bugzilla.redhat.com/show_bug.cgi?id=2035341
--- Comment #5 from Tomas Hoger <thoger(a)redhat.com> ---
Upstream fixes linked in comment 2 do not completely address all issues - they
still make it possible to include crafted $cksum data before the signed content
of the CHECKSUMS file and have that accepted by App::cpanminus. This problem
was reported upstream via:
https://github.com/miyagawa/cpanminus/issues/639
Upstream responded that their decision was to not fix and rather remove
signature verification completely:
https://github.com/miyagawa/cpanminus/commit/1afe4a9cac56fa593e24bf5714c8...
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2035341