I agree with the last half of your comment.

• You should audit the code you use.
• You should harden it, and you should resubmit the code back to the author and back to CPAN.
• Or pay the authour to harden it.

But outside of that the community as a whole has a responsibility to understand the users needs. CPAN modules are for users, what do users need is what the author should focus on. This is usually easy because the code you are working on is for your own needs, and if you need something there is a probability someone else will need it or find it useful once you are done with it.

But I think the point this post is making is with more people using CPAN modules blindly as time goes on what is the communities responsibility to the code on CPAN. With the recent meditations on security in CPAN modules and this I think this whole debate can be changed slightly to does the PERL community need to audit the offerings on CPAN occasionally. And if so should there be a mechanism of discusison for what is found in the audit process.

Now I think that is being done, just the fact that the poster posted this shows the code gets reviewed. And the possible redresses for the situation have been stated, but I think the poster is asking for something more active from the community as a whole in general.

Yes - your assesment is spot on, that's what I was trying to say.

As we now have CPAN ratings, maybe that could be extend to address user error and security concerns. Comments would have to pass through some moderation process and module authors should be given reasonable time to address such issues. If they fail to do so, then a caution should be logged against that module - this doesn't stop others from continuing to use it, but does ensure they are made aware of potential shortcomings.

Maybe something based around that would be possible?

Modules specifically written for companies will generally not get released due to ownership issues, but often they're just written for specific in house tasks which are not that useful to anyone else (apart from the odd competitor!)

From my own experience, you might be surprised how much CPAN code does get used by companies. I don't want people to stop releasing modules to CPAN because there's some great stuff out there, and I don't expect them to be perfect either - mine certainly aren't!

It's just that recently when auditing potential modules for our own use, I've seen a few that don't check for write failures and that worries me a bit - I can't see any situation where that's a good idea.

I suppose I'm trying to say if an author writes a module to scratch an itch - fantastic, but please think about proper error checking before releasing it to CPAN because many other people may start to depend on it :)