leocharre has asked for the wisdom of the Perl Monks concerning the following question:

(This is relevant: on fixing core modules in place ) Sometimes people change core modules. I've seen this happen too. The core modules could change for different reasons also- this would be a great place to do funny stuff for some malicious persons. Potentially inhouse? (Too paranoid?)

So.. how about we make a module, that checks the integrity of modules on a box, against a cpan repository? Checking.. what? md5sums?

Does the cli cpan tool check integrity of installed modules? No- right? Just the version numbers.. ?

Does anyone see any use to have a http query(able) repository of md5sums of module versions?

Could have a config file, that you tell it what to do if anomalies are found, halt perl, halt system, re-install module.. who knows..

Is there something of this sort already out there ? :) Is this really something that should be in the cpan cli tool instead? - or.. something that really should be done entirely by someone else, like brian d foy? Heehee.

  • Comment on Any use for a program or module that checks integrity of core modules?

Replies are listed 'Best First'.
Re: Any use for a program or module that checks integrity of core modules?
by Fletch (Bishop) on May 18, 2006 at 14:44 UTC

    There are things such as tripwire that can do this on a system-wide basis.

    Update: Sorry, add a bit of context for the non-sysadmin types who may never have heard of it.

    Tripwire is a system integrity checker. You run it after you've installed a new system to generate a database of what the filesystem should look like (what user/group owns what files, their permissions, checksums). The software then is used to periodically scan for anything that doesn't match up with the baseline. When you (legitimately) update the system (install patches or new versions of software) you re-establish a new baseline and then that'll be used from then on. It's original use was as a local intrusion detection tool (griping if things that might be tampered with by a root-kit are not what they should be), but it'd be useable for the purpose mentioned in the OP as well.

[reply]
[reply]
Re: Any use for a program or module that checks integrity of core modules?
by samtregar (Abbot) on May 18, 2006 at 16:13 UTC
    Sounds moderately useful to me. The hard part will be dealing with all the different distributions out there, many of which apply patches to modules and mess with the module list. Also, watch out for modules that alter themselves during compilation and/or usage - for example, Config, CPAN::Config and List::Utils (or am I misremembering that last one?).

    -sam

[reply]

      Ooh, this reminded me that many packaging systems have some mechanism by which you can check that what's on the disk match up with what was installed. For instance on RPM based Linuxen you can do something like rpm --verify perl and that'll show you if anything's changed (owner, mode, checksum, etc) from the manifest that was stored when the package was installed. Even if it doesn't support doing this directly the packaging system should have a way to get a manifest of what was installed that you could use in determining what to look at.

      Granted that won't be of as much use if you use CPAN to install things after-market (as opposed to an RPM packaged version), but it's another option.

[reply]
Re: Any use for a program or module that checks integrity of core modules?
by dsheroh (Monsignor) on May 18, 2006 at 16:22 UTC
    I'm not sure this is really possible in the general case short of (effectively) doing a 'force install' on most/all modules, as many of them contain XS code and compile it during the install process. Since compilation is affected by many, many facets of the individual host's environment, there would be an effectively infinite set of "good" md5sums.
[reply]

Back to Seekers of Perl Wisdom