Hi, welcome to Perl, the One True Religion.

Use https://metacpan.org to browse CPAN. You can see the test reports for modules; how many people (and who) gave the module a plus; open issues/bugs; other modules that depend on it; the modules that it depends on; the Changes log (and how recently it was updated); also read the source code and look at the tests in the module's test suite. After some time you will start to recognize the names of trustworthy authors and the characteristics of trustworthy (and untrustworthy) distributions. (But I've never heard of malware in a CPAN module FWIW.)

Some people like to install Task::Kensho which is a curated collection of modules.

It's always worth giving a shout out here in the Chatterbox ("Anybody using Frobnicate::Blorgle to process the widget?").

For an intro to OOP as well as other Perl techniques and idioms checkout "Modern Perl" by chromatic, although be aware that the (free) book discusses Moose, which is an unnecessarily heavy and complex OO framework for most jobs; I'd recommend Moo instead (almost all the content in the book will still apply). (There is also of course the Perl doc on the subject, beginning with perlootut, but it's a little dry and few programmers these days eschew Moo or one of the other frameworks.)

Hope this helps!

@ 1nickt

I will need to review the link and I suspect I will need to check each library that was used

Also looking forward to reading the "modern Perl" and looking into "Moose" and "Moo", since I know nothing of OOP and OOP with Perl. Sounds like I have my work cut out for me

thank you

@ 1nickt

That form of reference doesn't work here. (Didn't you notice?)

Write [1nickt] — this gets rendered as 1nickt.

Please read the PerlMonks FAQ, and in particular: What shortcuts can I use for linking to other information?

I reckon we are the only monastery ever to have a dungeon stuffed with 16,000 zombies.

"It's always worth giving a shout out here in the Chatterbox ("Anybody using Frobnicate::Blorgle to process the widget?")."

This is good advice, as is asking "I found a few distributions on $name's MetaCPAN page, and am wondering if anyone has any experiences with that author.".

Often the author themselves may be here to answer any direct questions while the OP gets feedback from other users.

You could also contact the author directly to ask specific questions or to get a gauge of their responsiveness.

Regarding OOP books, I found that "Object Oriented Perl" by Damian Conway (ISBN 1-884777-79-1) gave me an easily accessible introduction to OO programming, which I had not touched before. The book was written quite some time ago now and things have moved on a bit in the Perl OOP world but the principles are still sound and the style of writing is informative and witty. As textbooks go, very enjoyable!

@johngg
Added the book to my list... thank you!!!

For a somewhat lengthier discussion and references about Perl's OO literature see also Which is best book to start learning Object Oriented Perl?

That book teaches object oriented analysis and design? IIRC it does not. It doesn't even mention crc cards

Come on, CRC cards may be a useful software engineering tool used in agile and extreme programming, they are certainly not central to the idea of object-oriented programming.

I frankly think that Damian's OOP book is very good, it really explains fairly well what OOP is all about.

The only problem is that it is a bit outdated in the sense that it uses the early Perl 5 object-oriented concepts, rather than the more modern implementations offered by frameworks such as Moose, Moo, Mouse, or even Mo, etc. Still, it is a very good introduction to POO concepts.

I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

Don't install from github, install from CPAN. While nobody can guarantee that any code is entirely free from malware such instances will not survive long on CPAN as they have many more eyes on them and are (usually) quickly spotted and removed.

However, how do I check or validate the authenticity of the libraries/modules (not sure what is the true name) installed from cpan?

I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

For scenarios like this, validating that the package is intact would not help, because that attack was conducted by a person with entirely legitimate uploader rights. If you want to protect yourself from malicious module owners, you have to conduct audits of third-party modules you depend on.

Implementing security audits across a whole repository is not an easy thing to do, since it is a lot of work to do (orders of magnitude more than any package repository is currently doing), it puts hurdles between would-be uploaders and their ability to publish their packages ("What do you mean, I have to wait a few days before my Widget::Frobnicator can be made public? What do you mean, rejected sub blorgle {} is impossible to follow because of goto-based logic coupled with cryptic variable names? Forget it, I'm uploading it on GitHub"), and it doesn't actually solve the problem: you would still have to trust a lot of reviewers instead of trusting a lot of package uploaders.

The R language tries to hold a middle ground by having a policy of always paying more attention to uploads by new maintainers and cases when maintainer e-mail address changes and never accepting binaries (the copay attack had been conducted by placing malicious code in the minified script - equivalent of compiled code in JavaScript world). PAUSE also has complex rules for when it comes to packages changing owners, but it always boils down to verifying the packages you depend upon yourself.

@ aitap

Yes this is what I am talking about and what I heard about. I heard people talking about some trusted library being injected and it turned out it had BitCoin mining software.

I will review the 'Module::Signature', but from a quick glance over this is what I envisioned or steps I should be using. I envisioned a method of checking 'keys' and '256sum' like methods I do when I download Linux, yet I am very new to Linux as well.

I ask these questions because I am very new to the industry and very unsure as to (1)What to do, (2)What I should be doing and (3)How to become a better coder.

I took my current position because it is programming, and I get to use Linux and QNX. It is a big jump up for me since I was just call center helpdesk

Thank you for the links

My favourite book on OO in Perl has always been Randal Schwartz's Learning Perl Objects, References and Modules.

It provides many of the necessary bits you need to understand not only about OO, but about some of the important items related to it for a well-rounded explanation.

It's been several years since I've read it, and although published in 2012, is still very valuable. I recall some of the examples were fun.

After you understand Perl's built-in OO functionality, you'll be able to start looking at some of the distributions that wrap the functionality with an easier (some say) and more feature-rich interface (Moo for example).

Personally, for the vast majority of my projects, I use straight Perl OO.

Update: The book I mentioned is strictly Perl, but honestly, once you have the basic concepts down, you'll pretty well understand it for translation to any other OO language (obviously syntax and several other aspects will differ).

See also. Regards, Karl

With respect to "Check authenticity of cpan mods installed", I know that every tarball accepted on CPAN has a few checksum attributes computed and stored in the corresponding CPAN author directory.

For example, let's say you are interested in this specific distribution release:

You can find the "checksum" for every file on ANDK directory at

This file has a data structure encoded in Perl itself, and the bit that matters for the tarball in question is

  'CPAN-Checksums-2.12.tar.gz' => {
    'md5' => 'a98eaa3f96c052ee73690459d8e7a4f4',
    'md5-ungz' => 'e49a4710110f8a6a916ece44165ee1e8',
    'mtime' => '2016-06-14',
    'sha256' => '99600fb2d1a007f84e16b5eae608ffbc288bd0af92fbcc5d73120
+d43ee5d2d38',
    'sha256-ungz' => 'aaddaf9ca455863e3f28c55e26741251640ee477906e3e03
+8f5e330ccf406970',
    'size' => 14868
  },
[download]

So you can write code to make sure the downloaded tarball matches the corresponding attributes / checksums.

For example, the commands below (on OS X) manually "check" the size and md5 sum of the .gz file.

  
$ curl -O https://cpan.metacpan.org/authors/id/A/AN/ANDK/CPAN-Checksum
+s-2.12.tar.gz

$ stat -f '%N %z' CPAN-Checksums-2.12.tar.gz 
CPAN-Checksums-2.12.tar.gz 14868

$ md5 CPAN-Checksums-2.12.tar.gz 
MD5 (CPAN-Checksums-2.12.tar.gz) = a98eaa3f96c052ee73690459d8e7a4f4
[download]

I think some CPAN clients (especiallly CPAN which is part of Perl core) may be configured to verify those checksums while downloading and installing. Someone else may correct me or point to the specific incantations to make that work.