Stig

I agree that Module::Signature should not be used, at least not non-interactively, for the following reasons: 1. No trust root is checked to ensure you're getting the correct pubkey for...

Maybe relevant upstream issue: - https://github.com/Leont/crypt-argon2/issues/12

Hi @nroach44 This is likely caused by the issue linked above, where Crypt::Argon2 is built using `-march=native`. I hope this will be fixed soon. In the meanwhile, you can try...

This is CVE-2024-33664

I'm worried that a warning from `SSL_verify_warn_on_mismatch` could be easy to overlook, and wouldn't prevent a mitm attack. Imho, the default should be changed to `verify_SSL=>1`, to protect downstream users,...

CVE-2023-31486 has been assigned to this issue

@xdg Thanks for merging https://github.com/chansen/p5-http-tiny/pull/153! It changes the default from `verify_SSL=>0` to `verify_SSL=>1` and adds support for `$ENV{PERL_HTTP_TINY_SSL_INSECURE_BY_DEFAULT}` for users who need the previous default. - Released in [HTTP::Tiny 0.084](https://metacpan.org/release/DAGOLDEN/HTTP-Tiny-0.084)...

Thanks! I'm addressing all feedback, and will update the PR tomorrow or so.

I've (hopefully) addressed all comments and pushed a single commit to this PR. One problem that remains is that a `mojo.secrets` file is left over in the `t/mojo/` directory after...

> > Even if the session cookie format is changed, a secure method for generating secrets is needed, as provided by this PR. > > Is it really? Why can't...