Re: Blatant security problem in certain CPAN module installs

This makes these modules completely unsuitable for an unprotected upload to CPAN, as all CPAN testers will then unknowingly download code from the web that is not on the CPAN - a bad situation indeed.

Don't get the thought that if the code is from CPAN, it's secure. It isn't. CPAN is not a site you can trust. The fallacy in this idea is that you treat CPAN as if it were a single site whose owner you can trust. But CPAN is a collection of hundreds of mirror sites, with no central control. How would you know that the mirror you download a module from doesn't give you software that installs a backdoor? "Thousands of eyes" wouldn't help you there - even if there are lots of people doing CPAN code audit checks, a malicious CPAN mirror might give you backdoor software based on your IP address.

Abigail

Comment on Re: Blatant security problem in certain CPAN module installs

Replies are listed 'Best First'.
Re: Re: Blatant security problem in certain CPAN module installs by jacques (Priest) on May 03, 2004 at 23:24 UTC
CPAN is not a site you can trust. Yet CPAN is often the first thing a Perl advocate trumpets.	[reply]
Re: Blatant security problem in certain CPAN module installs by Abigail-II (Bishop) on May 04, 2004 at 00:02 UTC
CPAN is not a site you can trust. Yet CPAN is often the first thing a Perl advocate trumpets. Trumpets by advocates don't create security. Just because something isn't secure doesn't mean it can't be useful. CPAN is nothing more than an archive - and an archive with no control. CPAN is made by people. Good coders. Bad coders. Trustworthy coders. Malicious coders. PAUSE is an equal opportunity CPAN portal. Anyone can upload anything. This is CPAN's power. This is also what makes it dangerous. (Just like a motorsaw. Powerful, but dangerous). People should be well aware of the risks. Education is their only safety net. Abigail	[reply]