[Changes for 0.82 - Sun Aug 26 23:00:04 CST 2018]
* Fix CRLF handling on Win32. (@niklasholm)
* Default to SHA256 on new hashes as SHA1 is deprecated. (@niklasholm)
Problems found locating distfiles:
Package f-prot-antivirus6-fs-bin: missing distfile fp-NetBSD.x86.32-fs-6.2.3.tar.gz
Package f-prot-antivirus6-ws-bin: missing distfile fp-NetBSD.x86.32-ws-6.2.3.tar.gz
Package libidea: missing distfile libidea-0.8.2b.tar.gz
Package openssh: missing distfile openssh-7.1p1-hpn-20150822.diff.bz2
Package uvscan: missing distfile vlp4510e.tar.Z
Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden). All existing
SHA1 digests retained for now as an audit trail.
Upstream changes:
[Changes for 0.79 - Mon May 18 23:02:11 CST 2015]
* Restore "cpansign --skip" functionality.
Contributed by: CLOOS
[Changes for 0.78 - Thu Apr 9 16:58:27 CST 2015]
* Fix verify() use from cpanm and CPAN.pm.
Contributed by: ANDK
[Changes for 0.77 - Wed Apr 8 19:36:50 CST 2015]
* Include the latest public keys of PAUSE, ANDK and AUDREYT.
* Clarify scripts/cpansign copyright to CC0.
Reported by: @pghmcfc
[Changes for 0.76 - Wed Apr 8 18:05:48 CST 2015]
* Fix signature tests by defaulting to verify(skip=>1)
when $ENV{TEST_SIGNATURE} is true.
Reported by: @pghmcfc
[Changes for 0.75 - Tue Apr 7 04:56:09 CST 2015]
Two more issues reported by John Lightsey:
* Update ChangeLog.
* More protection of @INC from relative paths.
Fix various issues reported by John Lightsey:
[Changes for 0.74 - Tue Apr 7 02:39:14 CST 2015]
Fix various issues reported by John Lightsey:
* Fix GPG signature parsing logic.
* MANIFEST.SKIP is no longer consulted unless --skip is given.
* Properly use open() modes to avoid injection attacks.
{perl>=5.16.6,p5-ExtUtils-ParseXS>=3.15}:../../devel/p5-ExtUtils-ParseXS
since pkgsrc enforces the newest perl version anyway, so they
should always pick perl, but sometimes (pkg_add) don't due to the
design of the {,} syntax.
No effective change for the above reason.
Ok joerg
[Changes for 0.73 - Wed Jun 5 23:44:57 CST 2013]
* Properly redo the previous fix using File::Spec->file_name_is_absolute.
[Changes for 0.72 - Wed Jun 5 23:19:02 CST 2013]
* Only allow loading Digest::* from absolute paths in @INC,
by ensuring they begin with \ or / characters.
Contributed by: Florian Weimer (CVE-2013-2145)
[Changes for 0.71 - Tue Jun 4 18:24:10 CST 2013]
* Constrain the user-specified digest name to /^\w+\d+$/.
* Avoid loading Digest::* from relative paths in @INC.
Contributed by: Florian Weimer (CVE-2013-2145)
[Changes for 0.70 - Thu Nov 29 01:45:54 CST 2012]
* Don't check gpg version if gpg does not exist.
This avoids unnecessary warnings during installation
when gpg executable is not installed.
Contributed by: Kenichi Ishigaki
[Changes for 0.69 - Fri Nov 2 23:04:19 CST 2012]
* Support for gpg under these alternate names:
gpg gpg2 gnupg gnupg2
Contributed by: Michael Schwern
Do it for all packages that
* mention perl, or
* have a directory name starting with p5-*, or
* depend on a package starting with p5-
like last time, for 5.18, where this didn't lead to complaints.
Let me know if you have any this time.
a) refer 'perl' in their Makefile, or
b) have a directory name of p5-*, or
c) have any dependency on any p5-* package
Like last time, where this caused no complaints.
pkgsrc changes:
- switch from gnupg-1 (more or less depreciated) to Crypt::OpenPGP and a
bunch of used encoders and digest modules
- use Module::Install::Bundled module type
- remove patch - works fine with current infrastructure for now
Upstream changes:
[Changes for 0.66 - Fri, 6 Sep 2010 22:51:37 +0200]
* Fix incompatibility with EU::Manifest 1.54 to 1.57
(Paul Howarth) (Closes RT#61124).
[Changes for 0.65 - Fri, 3 Sep 2010 21:38:02 +0200]
* Skip MYMETA (Alexandr Ciornii)
to trigger/signal a rebuild for the transition 5.10.1 -> 5.12.1.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=..."), minus the packages updated after
the perl package update.
sno@ was right after all, obache@ kindly asked and he@ led the
way. Thanks!
Pkgsrc changes:
- placate pkglint
Upstream changes:
[Changes for 0.64 - Sun, 9 May 2010 00:50:11 +0200]
* Avoid creating gnupg configuration files for the user invoking Makefile.PL
(Closes RT#41978).
* Correctly detect the version of gnupg on cygwin and add tests for it
(Paul Fenwick) (Closes RT#39258).
Upstream changes:
[Changes for 0.63 - Sun, 28 Mar 2010 04:46:27 +0100]
* Fix diagnostic message from Makefile.PL when the user dosn't have gnupg or
Crypt::OpenPGP (miyagawa).
[Changes for 0.62 - Tue, 23 Mar 2010 22:17:39 +0100]
* Change the default keyserver from the outdated pgp.mit.edu to
pool.sks-keyservers.net.
[Changes for 0.61]
* Added "=encoding utf8" to POD to fix author name display.
No functional changes.
[Changes for 0.60]
* LICENSING CHANGE: This compilation and all individual files in it
are now under the nullary CC0 1.0 Universal terms:
To the extent possible under law, 唐鳳 has waived all copyright and
related or neighboring rights to Module-Signature.
* Updated Module::Install to 0.91, prompted by Florian Ragwitz.
to trigger/signal a rebuild for the transition 5.8.8 -> 5.10.0.
The list of packages is computed by finding all packages which end
up having either of PERL5_USE_PACKLIST, BUILDLINK_API_DEPENDS.perl,
or PERL5_PACKLIST defined in their make setup (tested via
"make show-vars VARNAMES=...").
[Changes for 0.55 - 2006-07-29]
* ANDK submitted a patch to fix versioning problem when
the user elects to install Crypt::OpenPGP.
* Major refactoring of the Makefile.PL to ease the installation process.
[Changes for 0.54 - 2006-05-12]
* Fixed a long-standing bug where differing end-of-line conventions
could cause bogus comparisons in signature checks.
* Fixed another long-standing bug where CRLF text files were hashed
into different digests under Unix and Dosish platforms. Now it's
consistently hashed as if it's been normalized to LF.
* Optional dependencies are no longer installed-by-default.
[Changes for 0.53 - 2006-01-31]
* The explicit call to "readline(D)" didn't compile on earlier perls which
demanded either "readline(*D)" or "<D>" -- I elected the latter form.
Reported by: Matthew Persic
* Update my author key to reflect revoked past uids.
[Changes for 0.52 - 2006-01-19]
* POD and source code cleanup; no functional changes.
* Updated my author key to reflect my new name and identity.
* Upgrade to the latest Module::Install to fix Cygwin
installation problems.
Reported by: Lyle Ziegelmiller
[Changes for 0.51 - 2006-01-02]
* Even more flexible CRLF handling for SIGNATURE files,
Contributed by: Andreas Koenig.
[Changes for 0.50 - 2005-08-21]
* Add support for to SHA-256, requested by Mark Shelor in light
of the recent SHA1 attacks. SHA1 is still the default, but
you can now override this by settings MODULE_SIGNATURE_CIPHER
environment variable to SHA256.
[Changes for 0.45 - 2005-08-09]
* Andreas Koenig ported out that "Import GPG keys?" was asked
far too many times during autoinstall.
developer is officially maintaining the package.
The rationale for changing this from "tech-pkg" to "pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list). Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.
* Add "pmfiles.dat" to legacy manifest_skip routine to accomodate
early Win32 hacks. Reported by Steve Hay via Michael Schwern.
[Changes for 0.43 - 2004-12-16]
* Updated t/0-signature.t to be more friendly with Test::More;
contributed by Michael Schwern.
* Add $Timeout (default 3 seconds) to control the timeout for
probing connections to the key server.
* Take account of the .ts files produced by newer MakeMakers
in the suggested MANIFEST.SKIP list.
[Changes for 0.42 - 2004-11-20]
* Move under SVK version control management; ditch keyword tags.
* Michael Schwern pointed out that during development, the
"signature.t" file would keep failing.
* Documented how to generate SIGNATURE files as part of "make dist",
for Module::Install, ExtUtils::MakeMaker and Module::Build users .
module directory has changed (eg. "darwin-2level" vs.
"darwin-thread-multi-2level").
binary packages of perl modules need to be distinguishable between
being built against threaded perl and unthreaded perl, so bump the
PKGREVISION of all perl module packages and introduce
BUILDLINK_RECOMMENDED for perl as perl>=5.8.5nb5 so the correct
dependencies are registered and the binary packages are distinct.
addresses PR pkg/28619 from H. Todd Fujinaka.
Collection.
The Perl 5 module Module::Signature adds cryptographic authentications
to CPAN distributions, via the special SIGNATURE file.
If you are a module user, all you have to do is to remember running
cpansign -v (or just cpansign) before issuing perl Makefile.PL or
perl Build.PL; that will ensure the distribution has not been
tampered with. For module authors, you'd want to add the SIGNATURE
file to your MANIFEST, then type cpansign -s before making a
distribution. You may also want to consider adding a signature
check as part of your test suite.
