in reply to
Re: Blatant security problem in certain CPAN module installs
in thread Blatant security problem in certain CPAN module installs
This makes these modules completely unsuitable for an unprotected upload to CPAN, as all CPAN testers will then unknowingly download code from the web that is not on the CPAN - a bad situation indeed.
Don't get the thought that if the code is from CPAN, it's secure. It isn't. CPAN is not
a site you can
trust. The fallacy in this idea is that you treat CPAN as if it were a single site whose owner you can trust. But CPAN is a collection of hundreds of mirror sites, with no central control
. How would you know that the mirror you download a module from doesn't give you software that installs a backdoor? "Thousands of eyes" wouldn't help you there - even if there are lots of people doing CPAN code audit checks, a malicious CPAN mirror might give you backdoor software based on your IP address.