Re: Procedure for finding/searching for existing code

I tend to be very wary of using code from script sites that are not at least in some way intertwined with CPAN, such as this site. Without a peer review process, it's all-too-common to see "cargo-cult programming" hard at work on these freebie sites, and security vulnerabilities abound.

Perhaps this is an over-generalization, but I've seen one-too-many a security note come across Bugtraq about a script that's been made available on one of these freebie Perl archives. Generally on CPAN, and on sites where code can be reviewed like this one, major problems are caught beforehand.

Note that this also extends to Perl code purchased from an outside vendor. I have dealt with only 3 or 4 major Perl packages aquired in this manner, but they ALL had SERIOUS security problems, which I was thankfully able to patch up, but in all cases it was clear that the developer knew little about the science of programming. Finding a good Perl developer is a very hard thing to do. That is a major reason why Perl is not an official supported language in my company. :)

Comment on Re: Procedure for finding/searching for existing code

Replies are listed 'Best First'.
Re: Re: Procedure for finding/searching for existing code by belize (Deacon) on Jan 14, 2001 at 21:05 UTC
So what you are suggesting is that a programmer only search and use code from CPAN and this site unless very experienced with PERL because of the potential security problems from unaware programmers? Does everyone else agree?	[reply]
Re: Re: Re: Procedure for finding/searching for existing code by Fastolfe (Vicar) on Jan 14, 2001 at 21:14 UTC
Well, this site or any other that has a good solid peer review process. I'd mention SourceForge, but unless someone knows about a project there and takes an active interest in it, nobody's going to see it, whereas here, each post is considered a learning exercise, so you have a ton of people who are willing to look at it, some to teach, others to learn themselves. I'm afraid I don't know of many other sites like that, and to be honest, when in doubt, I ask for the advice of some of the people here, and am never sorry. But yeah, if you're using something to put out onto a production server, and you're not familiar enough with Perl to be able to audit it not only for suitability to your task, but for security and efficiency, you probably want to run it by somebody that is that familiar with Perl. Generally most everything you see on CPAN and PM especially has already been through that process.	[reply]
Re: Re: Re: Procedure for finding/searching for existing code by Martin A (Beadle) on Jan 15, 2001 at 15:09 UTC
Yes, I agree totally with Fastolfe. I've seen all to many perl scripts that have been made by freebies that have nasty security holes in them. For example I one day came across a script(newsdesk) that read from a flatfile database and outputed some nicely formatted news list. This is all nice, but the script allow the user to read any file on the system, and even running commands (by adding a \| at the end). This kind of thing would not be to hard to notice if you just know a bit perl. But I've seen some sites (to many) actually using this script. // Martin A	[reply]