It is NOT about the quality of code on CPAN. It's about the code that is expected to be installed and where you are getting it from. For instance, I didn't write the perl interpreter, the c compiler and what not. But when production machines get stuff installed on it, you need to increase the metric of trust /heavily/. It is not paranoia.

From a dictionary..

# Exhibiting or characterized by extreme and irrational fear or distrust of others: a paranoid suspicion that the phone might be bugged.

"paranoid." The American HeritageŽ Dictionary of the English Language, Fourth Edition. Houghton Mifflin Company, 2004. Answers.com 02 Feb. 2006. http://www.answers.com/topic/paranoid

Extreme and irrational fear or distrust. Note the keyword irrational. If I'm mincing words, forgive me. 'cause the context and the further context implies a negative tone, not something tongue-in-cheek, thus my lengthly reply.

Once a machine is established as secure, it needs to stay such. Outbound firewalling prevents installed malware or plain ol' hacked machines, to not be used for DDOS uses, spam uses, or as a proxy of sorts.

It's not about all about the quality of CPAN. It's about what was tested and still working. It's about the sysadmin having the go-ahead from QA, that some N being installed, nothing more, nothing less.

Any repository can be hacked, or bad uploads to the repository, can occurr. Don't fool yourself into thinking that copying something you know is workign from a dev or qa box to production, is silly, vs getting it from CPAN.