File: DB.pod

package info (click to toggle)
libcpansa-db-perl 20250521.001-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 14,084 kB
  • sloc: perl: 161,990; makefile: 2
file content (79 lines) | stat: -rw-r--r-- 2,255 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
 
# created by util/generate at Thu May 22 02:32:39 2025
# https://github.com/briandfoy/cpan-security-advisory.git 165ea3314be76abd499cfa4d0c58d6f9b144b1c6

=encoding utf8

=head1 NAME

CPAN::Audit::DB - the CPAN Security Advisory data as a Perl data structure, mostly for CPAN::Audit

=head1 SYNOPSIS

This module is primarily used by L<CPAN::Audit>.

	use CPAN::Audit::DB;

	my $db = CPAN::Audit::DB->db;

=head1 DESCRIPTION

The C<db> subroutine returns the CPAN Security Advisory (CPANSA) reports
as a Perl data structure. However, anything can use this.

Each release also comes with a F<.gpg> file that has the signature
for the file. If you cannot confirm that the module file has the
right signature, it might have been corrupted or modified.

This module is available outside of CPAN as a release on GitHub:
L<https://github.com/briandfoy/cpan-security-advisory/releases>.
Each release on GitHub includes an attestation.

There is also a JSON file that provides the same datastructure.

=head2 Subroutines

There is exactly one subroutine:

=over 4

=item * db

Returns the hashref of all the CPANSA reports.

=back

=head1 VERIFYING

This distribution now uses
L<GitHub Attestations|https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/>,
which allow you to verify that the archive file you have was made from
the official repo.

You need a GitHub account and the L<gh tool|https://github.com/larsks/ghcli>.

	# download the distro file from GitHub, MetaCPAN, or a CPAN mirror
	$ gh auth login
	...follow instructions...
	$ gh attestation verify CPANSA-DB-20241111.tar.gz --owner briandfoy

Additionally, each release codes with GPG signature that allows you to
verify that this. The key is the same one used when the database was
distributed with L<CPAN::Audit>:

	$ gpg --verify lib/CPANSA/DB.pm.gpg lib/CPANSA/DB.pm
	gpg: Signature made Mon Nov 18 11:00:10 2024 EST
	gpg:                using RSA key 75AAB42CBA0D7F37F0D6886DF83F8D5E878B6041
	gpg: Good signature from "CPAN::Audit (brian d foy) (https://github.com/briandfoy/cpan-audit) <bdfoy@cpan.org>" [ultimate]

=head1 SEE ALSO

Everything is managed in GitHub:

=over 4

=item * L<https://github.com/briandfoy/cpan-security-advisory/releases>

=back

=cut