He is right. It's just superstition to be looking for security holes in those sloppily set permissions. An attacker is never going to go through a million artificial contortions when he is in a position to walk right in through the front door, because what would that buy him? And since you're going to be executing Makefile.PL anyway, you are offering an open front door.

It's another matter if the mode is 777 of course — since someone else could exploit that. 755 instead of 644 is harmless but annoying for other reasons.

Makeshifts last the longest.