in reply to Re: Creating a Bundle:: with all deps?
in thread Creating a Bundle:: with all deps?

Yes! Thank you Sporty! I don't think the client's requirements are unreasonable at all..

--Pileofrogs

  • Comment on Re^2: Creating a Bundle:: with all deps?

Replies are listed 'Best First'.
Re^3: Creating a Bundle:: with all deps?
by rhesa (Vicar) on Feb 02, 2006 at 19:50 UTC
    Absolutely, I don't think anyone here feels that the client was unreasonable. I'm pretty sure dragonchild used the word "paranoid" only to make it crystal-clear that the client is very strict about security.

    The only thing that made me wonder is the emphasis on outside connectivity, rather than on the code being introduced to the machine. I have the feeling that

    1. Only allowing the cpan shell to go out and download code, while closing everything else down, is pretty simple to arrange with a simple set of firewall rules
    2. The risk of unwanted traffic to the machine is way lower than the inherent risk of installing foreign code

    Personally, I'd rather trust my firewall rules than the new code. If I were paranoid about security, I'd prefer to audit each and every newly installed module in favor of worrying about network traffic during the installation. Of course, that's a much harder problem, and for practical reasons alone I'd be inclined to trust CPAN code to be secure. But then I'd no longer be paranoid :-)

[reply]
      It is NOT about the quality of code on CPAN. It's about the code that is expected to be installed and where you are getting it from. For instance, I didn't write the perl interpreter, the c compiler and what not. But when production machines get stuff installed on it, you need to increase the metric of trust /heavily/. It is not paranoia.

      From a dictionary..

      # Exhibiting or characterized by extreme and irrational fear or distrust of others: a paranoid suspicion that the phone might be bugged.

      "paranoid." The American HeritageŽ Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004. Answers.com 02 Feb. 2006. http://www.answers.com/topic/paranoid

      Extreme and irrational fear or distrust. Note the keyword irrational. If I'm mincing words, forgive me. 'cause the context and the further context implies a negative tone, not something tongue-in-cheek, thus my lengthly reply.

      Once a machine is established as secure, it needs to stay such. Outbound firewalling prevents installed malware or plain ol' hacked machines, to not be used for DDOS uses, spam uses, or as a proxy of sorts.

      It's not about all about the quality of CPAN. It's about what was tested and still working. It's about the sysadmin having the go-ahead from QA, that some N being installed, nothing more, nothing less.

      Any repository can be hacked, or bad uploads to the repository, can occurr. Don't fool yourself into thinking that copying something you know is workign from a dev or qa box to production, is silly, vs getting it from CPAN.

[reply]

In Section Seekers of Perl Wisdom