Re: Malware on CPAN

There is no point setting up the spectre of a hypothetical nasty, a straw man, and then calling it a bugaboo and blaming it on CPAN. You are rattling a chain that isn’t connected to anyone or anything. You’re arguing for a causal association that simply does not have any meaning at all. Malice can be done in any language. In any library. But a contributed library (Perl or otherwise), which by definition is encountered by and reviewed by a great many people, is far less likely to be a vector for malice than original code which no one other than the disgruntled author may actually see. There are lots of lone wolves out there, and a few of them might be rabid. Their malicious tendencies are much more likely to succeed in a “one off” system that only they may see, than by a system that thousands of individuals worldwide must deal with constantly.

Replies are listed 'Best First'.
Re^2: Malware on CPAN by taint (Chaplain) on Jun 20, 2012 at 15:40 UTC
Frankly, Win* \|\| MacOS & !OSX have done their best to sheild users from the underlying processes since day 1. It's hard to point fingers at any perl module for attempting to align itself with the OS's policy. As security goes; the only real-life issue I can ever see actually arising -- which is fairly trivial, would be a case of "DNS cache poisoning" coming from the use some NET::, or DNS:: module. Of course, that also requires the module to be installed globally as root, and for the system to be running an Authoritive DNS service locally. Best practices; keep the cache life very short. Which brings me to those ^evil^ Win* module writers -- 2 issues: 1) Notepad has been able to read/write LF line endings since WinNT version 4 (cat(1)\|\|awk(1) && sed(1) will correct this for NIX users). 2) Permissions, eg; 0777. Again, NIX users have a large toolbox, and can perform the following: `#!/bin/sh # first, the folders find . -type d -print \| while read i do chmod 0755 $i done # now, the files find . -type f -print \| while read i do chmod 0644 $i done # a variation using ls(1) could also have been employed` [download] All, and all; DO examine the source before making && installing. You'd be surprised how much you can learn -- even from the routines included within the source. :) --'nuf said. #!/usr/bin/perl -Tw use strict; use perl::always; my $perl_version( 5.12.4 ); print $perl_version;	[reply] [d/l]
Re^3: Malware on CPAN by Anonymous Monk on Jun 20, 2012 at 16:51 UTC
Say, why would you do while loop instead of xargs ... `find ... -print0 \| xargs -0 chmod ...` [download] ... ? Somewhat related, I have come to like symbolic permission modes to selectively modify the permissions while preserving the rest ... `# Strip group- & world-write permissions. chmod -R g-w,o-w directory` [download]	[reply] [d/l] [select]
Re^4: Malware on CPAN by taint (Chaplain) on Jun 20, 2012 at 17:57 UTC
“ Say, why would you do while loop instead of xargs ... `find ... -print0 \| xargs -0 chmod ...` ... ? ” For consistency across NIX's && versions \|\| find(1) is guaranteed to return the same results, regardless of NIX \|\| version. :) #!/usr/bin/perl -Tw use strict; use perl::always; my $perl_version( 5.12.4 ); print $perl_version;	[reply] [d/l]
Re^5: Malware on CPAN by Anonymous Monk on Jun 20, 2012 at 23:22 UTC
Re^6: Malware on CPAN by taint (Chaplain) on Jun 21, 2012 at 00:13 UTC