Re: Creating a Bundle:: with all deps?

Except, the client is paranoid and won't let this machine talk to the "Big Bad Outside World". Only my machine is allowed to talk to it from outside their DMZ.

As a security advocate, I wouldn't call the person paranoid. Yes, too much security, and you can't get anything done. But it is common place to have production machines, if that is what this is, to do very VERY specific things. I'm sorry it sounds like I'm jumping down your throat, but I am asking people who read what you wrote and think of some of the consequences of not DMZing.

webservers normally have connections only comming in from a certain set of ips, if yer doing nat, or a load balancer, this may be small. If the device is just packet forwarding, it's huge! The connections going out from the same server would normally be really small, since as a web server, its duty is to serve pages, not to be a resource to access other foreign resources.

That being said, anything going onto the machine, normally is verified as the required set of changes for auditing and quality purposes. If one day, CPAN was hacked, as public repositories have had happen, and you tried to use it, that new machine will have, "bad code".

If you package you modules, and it went down a pipe to get to production, directly from dev or through QA, 1) The code you downloaded has had a justation period for like people to download the code and say, "HOLY CRAP!", 2) What everyone has validated and audited that is going into production, really is just that. No suprise upgrades.

Easiest suggestion I can recommend, have a target that is, "pristine." Install a tool like tripwire and run it against the pristine target. Now run CPAN. Run a tripwire report to see what has changed. That will be your list of things to export.

A nicer way would be to have two copies of production on a dev box, then run cpan targetting one. Do a diff. Enjoy! :)

Both solutions would work even if you weren't using CPAN and can't easily figure out the differences for modules, configuration files, beer.. stuff.. yeah.

Comment on Re: Creating a Bundle:: with all deps?

Replies are listed 'Best First'.
Re^2: Creating a Bundle:: with all deps? by pileofrogs (Priest) on Feb 02, 2006 at 17:24 UTC
Yes! Thank you Sporty! I don't think the client's requirements are unreasonable at all.. --Pileofrogs	[reply]
Re^3: Creating a Bundle:: with all deps? by rhesa (Vicar) on Feb 02, 2006 at 19:50 UTC
Absolutely, I don't think anyone here feels that the client was unreasonable. I'm pretty sure dragonchild used the word "paranoid" only to make it crystal-clear that the client is very strict about security. The only thing that made me wonder is the emphasis on outside connectivity, rather than on the code being introduced to the machine. I have the feeling that Only allowing the cpan shell to go out and download code, while closing everything else down, is pretty simple to arrange with a simple set of firewall rules The risk of unwanted traffic to the machine is way lower than the inherent risk of installing foreign code Personally, I'd rather trust my firewall rules than the new code. If I were paranoid about security, I'd prefer to audit each and every newly installed module in favor of worrying about network traffic during the installation. Of course, that's a much harder problem, and for practical reasons alone I'd be inclined to trust CPAN code to be secure. But then I'd no longer be paranoid :-)	[reply]
Re^4: Creating a Bundle:: with all deps? by exussum0 (Vicar) on Feb 02, 2006 at 22:11 UTC
It is NOT about the quality of code on CPAN. It's about the code that is expected to be installed and where you are getting it from. For instance, I didn't write the perl interpreter, the c compiler and what not. But when production machines get stuff installed on it, you need to increase the metric of trust /heavily/. It is not paranoia. From a dictionary.. # Exhibiting or characterized by extreme and irrational fear or distrust of others: a paranoid suspicion that the phone might be bugged. "paranoid." The American Heritage® Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004. Answers.com 02 Feb. 2006. http://www.answers.com/topic/paranoid Extreme and irrational fear or distrust. Note the keyword irrational. If I'm mincing words, forgive me. 'cause the context and the further context implies a negative tone, not something tongue-in-cheek, thus my lengthly reply. Once a machine is established as secure, it needs to stay such. Outbound firewalling prevents installed malware or plain ol' hacked machines, to not be used for DDOS uses, spam uses, or as a proxy of sorts. It's not about all about the quality of CPAN. It's about what was tested and still working. It's about the sysadmin having the go-ahead from QA, that some N being installed, nothing more, nothing less. Any repository can be hacked, or bad uploads to the repository, can occurr. Don't fool yourself into thinking that copying something you know is workign from a dev or qa box to production, is silly, vs getting it from CPAN.	[reply]