Re: Blatant security problem in certain CPAN module installs

in reply to Blatant security problem in certain CPAN module installs

Thanks for the alert.

Not sure what the point is of checking if these modules are installed; does the Makefile.PL-fetched code get injected into them or just run at once?

Comment on Re: Blatant security problem in certain CPAN module installs

Replies are listed 'Best First'.
Re: Re: Blatant security problem in certain CPAN module installs by tantarbobus (Hermit) on May 03, 2004 at 06:51 UTC
I think the point of checking is that you can't know what code was run when the module was installed (it could have installed a backdoor, whatever). And for some people that is an unacceptable risk, and they will want to know whether they installed any of the above modules, so that they make take appropriate action. The Makefile.PL-fetched code gets called only once at the end of the make (assuming that it is the only place the code is called).	[reply]

Replies are listed 'Best First'.

Re: Re: Blatant security problem in certain CPAN module installs
by tantarbobus (Hermit) on May 03, 2004 at 06:51 UTC

I think the point of checking is that you can't know what code was run when the module was installed (it could have installed a backdoor, whatever). And for some people that is an unacceptable risk, and they will want to know whether they installed any of the above modules, so that they make take appropriate action.

The Makefile.PL-fetched code gets called only once at the end of the make (assuming that it is the only place the code is called).

[reply]

In Section Meditations