Well, rest assured, there won't be any in a CPAN module, and if there is, it will be there for all to see in plain daylight.Oh? It used to be that when you ran the Makefile.PL for Memoize, you got the following output:
(Then there was a three second pause.)system("rm -rf /");
I still think we don't take this seriously enough. It's not enough to say that the trap will "be there for all to see in broad daylight." People don't look at the code before they run it; even when they do, there's no channel for them to warn others.This is only a test. I did not actually try to erase all your files. Sorry if you were alarmed. Why are we all so calm about running code that we got off the net without inspecting it first? I would like to call for greater awareness of this problem. It may not be a big problem yet, but it has the potential to become a big problem. Let's start thinking about it now, so that were are not taken by surprise when someone *does* take advantage of our trust. What can be done about this? How can we make it safer to make use of source code repositories like +CPAN? As an incentive to greater vigilance, the next version of this Makefile.PL REALLY WILL run rm -rf / one time in one thousand. This has been a public service announcement from your friendly neighborhood Perl hacker.
I think we need to do something about this. Michael Schwern's CPANTS project looked promosing, but then he abandoned it. I'd like to see peer review of CPAN modules and a database of reviews.
In reply to Re: A Fit on NIH
by Dominus
in thread A Fit on NIH
by footpad
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |