Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

New to perl - Check authenticity of cpan mods installed/used

by gradius85 (Novice)
on Feb 16, 2019 at 16:00 UTC ( #1229993=perlquestion: print w/replies, xml ) Need Help??

gradius85 has asked for the wisdom of the Perl Monks concerning the following question:

Hi everyone,

I am very new to perl and programming in general. I have started in a position that has me working with legacy Perl code, which has a number of modules from ‘cpan’. Due to this opportunity I am excited to learn Perl since I have read great things about it.

So far the syntax has been pretty easy for me to understand, and honestly grasping it a little faster then I did Python (all those silly name.item.something format...lol).

Anyway my main question.

I have never used cpan, but I have been watching some youtube videos. However, how do I check or validate the authenticity of the libraries/modules (not sure what is the true name) installed from cpan?

I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

I do not have a college degree, and self-taught myself Python the basics (if you could call that), so I am not allowed to work on that team that uses JavaScript or other programming languages, and I volunteered to work on the legacy perl code items, with the hope of getting good to get experience and exposure to different programming styles and methods.

Also,

Looks like some of the code used object oriented style of code, from what I researched.

Can anyone offer a good book that discussed OOP styles? Does not have to be perl related, I do not get the concept of OOP and I am struggling with it.

Thank you so much

  • Comment on New to perl - Check authenticity of cpan mods installed/used

Replies are listed 'Best First'.
Re: New to perl - Check authenticity of cpan mods installed/used
by 1nickt (Abbot) on Feb 16, 2019 at 18:34 UTC

    Hi, welcome to Perl, the One True Religion.

    Use https://metacpan.org to browse CPAN. You can see the test reports for modules; how many people (and who) gave the module a plus; open issues/bugs; other modules that depend on it; the modules that it depends on; the Changes log (and how recently it was updated); also read the source code and look at the tests in the module's test suite. After some time you will start to recognize the names of trustworthy authors and the characteristics of trustworthy (and untrustworthy) distributions. (But I've never heard of malware in a CPAN module FWIW.)

    Some people like to install Task::Kensho which is a curated collection of modules.

    It's always worth giving a shout out here in the Chatterbox ("Anybody using Frobnicate::Blorgle to process the widget?").

    For an intro to OOP as well as other Perl techniques and idioms checkout "Modern Perl" by chromatic, although be aware that the (free) book discusses Moose, which is an unnecessarily heavy and complex OO framework for most jobs; I'd recommend Moo instead (almost all the content in the book will still apply). (There is also of course the Perl doc on the subject, beginning with perlootut, but it's a little dry and few programmers these days eschew Moo or one of the other frameworks.)


    Hope this helps!

    The way forward always starts with a minimal test.

      @ 1nickt

      I will need to review the link and I suspect I will need to check each library that was used

      Also looking forward to reading the "modern Perl" and looking into "Moose" and "Moo", since I know nothing of OOP and OOP with Perl. Sounds like I have my work cut out for me

      thank you

      "It's always worth giving a shout out here in the Chatterbox ("Anybody using Frobnicate::Blorgle to process the widget?")."

      This is good advice, as is asking "I found a few distributions on $name's MetaCPAN page, and am wondering if anyone has any experiences with that author.".

      Often the author themselves may be here to answer any direct questions while the OP gets feedback from other users.

      You could also contact the author directly to ask specific questions or to get a gauge of their responsiveness.

Re: New to perl - Check authenticity of cpan mods installed/used
by johngg (Canon) on Feb 16, 2019 at 16:20 UTC

    Regarding OOP books, I found that "Object Oriented Perl" by Damian Conway (ISBN 1-884777-79-1) gave me an easily accessible introduction to OO programming, which I had not touched before. The book was written quite some time ago now and things have moved on a bit in the Perl OOP world but the principles are still sound and the style of writing is informative and witty. As textbooks go, very enjoyable!

    Cheers,

    JohnGG

      @johngg
      Added the book to my list... thank you!!!

      That book teaches object oriented analysis and design? IIRC it does not. It doesn't even mention crc cards
        Come on, CRC cards may be a useful software engineering tool used in agile and extreme programming, they are certainly not central to the idea of object-oriented programming.

        I frankly think that Damian's OOP book is very good, it really explains fairly well what OOP is all about.

        The only problem is that it is a bit outdated in the sense that it uses the early Perl 5 object-oriented concepts, rather than the more modern implementations offered by frameworks such as Moose, Moo, Mouse, or even Mo, etc. Still, it is a very good introduction to POO concepts.

Re: New to perl - Check authenticity of cpan mods installed/used
by hippo (Bishop) on Feb 17, 2019 at 11:10 UTC
    I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

    Don't install from github, install from CPAN. While nobody can guarantee that any code is entirely free from malware such instances will not survive long on CPAN as they have many more eyes on them and are (usually) quickly spotted and removed.

Re: New to perl - Check authenticity of cpan mods installed/used
by aitap (Curate) on Feb 17, 2019 at 12:32 UTC
    However, how do I check or validate the authenticity of the libraries/modules (not sure what is the true name) installed from cpan?
    See Module::Signature for an optional way for module authors to sign their distributions. If the module is not signed, you can still trust its contents as long as you download the archive from an HTTPS mirror - as long as you trust HTTPS public key infrastructure.
    I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

    For scenarios like this, validating that the package is intact would not help, because that attack was conducted by a person with entirely legitimate uploader rights. If you want to protect yourself from malicious module owners, you have to conduct audits of third-party modules you depend on.

    Implementing security audits across a whole repository is not an easy thing to do, since it is a lot of work to do (orders of magnitude more than any package repository is currently doing), it puts hurdles between would-be uploaders and their ability to publish their packages ("What do you mean, I have to wait a few days before my Widget::Frobnicator can be made public? What do you mean, rejected sub blorgle {} is impossible to follow because of goto-based logic coupled with cryptic variable names? Forget it, I'm uploading it on GitHub"), and it doesn't actually solve the problem: you would still have to trust a lot of reviewers instead of trusting a lot of package uploaders.

    The R language tries to hold a middle ground by having a policy of always paying more attention to uploads by new maintainers and cases when maintainer e-mail address changes and never accepting binaries (the copay attack had been conducted by placing malicious code in the minified script - equivalent of compiled code in JavaScript world). PAUSE also has complex rules for when it comes to packages changing owners, but it always boils down to verifying the packages you depend upon yourself.

      @ aitap

      Yes this is what I am talking about and what I heard about. I heard people talking about some trusted library being injected and it turned out it had BitCoin mining software.

      I will review the 'Module::Signature', but from a quick glance over this is what I envisioned or steps I should be using. I envisioned a method of checking 'keys' and '256sum' like methods I do when I download Linux, yet I am very new to Linux as well.

      I ask these questions because I am very new to the industry and very unsure as to (1)What to do, (2)What I should be doing and (3)How to become a better coder.

      I took my current position because it is programming, and I get to use Linux and QNX. It is a big jump up for me since I was just call center helpdesk

      Thank you for the links

Re: New to perl - Check authenticity of cpan mods installed/used
by stevieb (Canon) on Feb 20, 2019 at 17:49 UTC

    My favourite book on OO in Perl has always been Randal Schwartz's Learning Perl Objects, References and Modules.

    It provides many of the necessary bits you need to understand not only about OO, but about some of the important items related to it for a well-rounded explanation.

    It's been several years since I've read it, and although published in 2012, is still very valuable. I recall some of the examples were fun.

    After you understand Perl's built-in OO functionality, you'll be able to start looking at some of the distributions that wrap the functionality with an easier (some say) and more feature-rich interface (Moo for example).

    Personally, for the vast majority of my projects, I use straight Perl OO.

    Update: The book I mentioned is strictly Perl, but honestly, once you have the basic concepts down, you'll pretty well understand it for translation to any other OO language (obviously syntax and several other aspects will differ).

Re: New to perl - Check authenticity of cpan mods installed/used
by karlgoethebier (Abbot) on Feb 16, 2019 at 22:23 UTC

    See also. Regards, Karl

    «The Crux of the Biscuit is the Apostrophe»

    perl -MCrypt::CBC -E 'say Crypt::CBC->new(-key=>'kgb',-cipher=>"Blowfish")->decrypt_hex($ENV{KARL});'Help

Re: New to perl - Check authenticity of cpan mods installed/used
by pablopelos (Sexton) on Feb 20, 2019 at 17:02 UTC
    Books ae good, but for a quick basic understanding the built in docs aren't bad at all. try 'perldoc perlootut' and 'perldoc perlobj' . This is plainly written and is always at your fingertips.
Re: New to perl - Check authenticity of cpan mods installed/used
by ferreira (Chaplain) on Feb 21, 2019 at 18:12 UTC

    With respect to "Check authenticity of cpan mods installed", I know that every tarball accepted on CPAN has a few checksum attributes computed and stored in the corresponding CPAN author directory.

    For example, let's say you are interested in this specific distribution release:

    https://cpan.metacpan.org/authors/id/A/AN/ANDK/CPAN-Checksums-2.12.tar.gz

    You can find the "checksum" for every file on ANDK directory at

    https://www.cpan.org/authors/id/A/AN/ANDK/CHECKSUMS

    This file has a data structure encoded in Perl itself, and the bit that matters for the tarball in question is

    'CPAN-Checksums-2.12.tar.gz' => { 'md5' => 'a98eaa3f96c052ee73690459d8e7a4f4', 'md5-ungz' => 'e49a4710110f8a6a916ece44165ee1e8', 'mtime' => '2016-06-14', 'sha256' => '99600fb2d1a007f84e16b5eae608ffbc288bd0af92fbcc5d73120 +d43ee5d2d38', 'sha256-ungz' => 'aaddaf9ca455863e3f28c55e26741251640ee477906e3e03 +8f5e330ccf406970', 'size' => 14868 },

    So you can write code to make sure the downloaded tarball matches the corresponding attributes / checksums.

    For example, the commands below (on OS X) manually "check" the size and md5 sum of the .gz file.

    $ curl -O https://cpan.metacpan.org/authors/id/A/AN/ANDK/CPAN-Checksum +s-2.12.tar.gz $ stat -f '%N %z' CPAN-Checksums-2.12.tar.gz CPAN-Checksums-2.12.tar.gz 14868 $ md5 CPAN-Checksums-2.12.tar.gz MD5 (CPAN-Checksums-2.12.tar.gz) = a98eaa3f96c052ee73690459d8e7a4f4

    I think some CPAN clients (especiallly CPAN which is part of Perl core) may be configured to verify those checksums while downloading and installing. Someone else may correct me or point to the specific incantations to make that work.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1229993]
Front-paged by haukex
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (7)
As of 2022-01-18 12:39 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    In 2022, my preferred method to securely store passwords is:












    Results (53 votes). Check out past polls.

    Notices?