Beefy Boxes and Bandwidth Generously Provided by pair Networks Joe
P is for Practical
 
PerlMonks  

Re: Blatant security problem in certain CPAN module installs

by Abigail-II (Bishop)
on May 03, 2004 at 13:54 UTC ( #350006=note: print w/ replies, xml ) Need Help??


in reply to Re: Blatant security problem in certain CPAN module installs
in thread Blatant security problem in certain CPAN module installs

This makes these modules completely unsuitable for an unprotected upload to CPAN, as all CPAN testers will then unknowingly download code from the web that is not on the CPAN - a bad situation indeed.
Don't get the thought that if the code is from CPAN, it's secure. It isn't. CPAN is not a site you can trust. The fallacy in this idea is that you treat CPAN as if it were a single site whose owner you can trust. But CPAN is a collection of hundreds of mirror sites, with no central control. How would you know that the mirror you download a module from doesn't give you software that installs a backdoor? "Thousands of eyes" wouldn't help you there - even if there are lots of people doing CPAN code audit checks, a malicious CPAN mirror might give you backdoor software based on your IP address.

Abigail


Comment on Re: Blatant security problem in certain CPAN module installs
Re: Re: Blatant security problem in certain CPAN module installs
by jacques (Priest) on May 03, 2004 at 23:24 UTC
    CPAN is not a site you can trust.

    Yet CPAN is often the first thing a Perl advocate trumpets.

[reply]
      CPAN is not a site you can trust.
      Yet CPAN is often the first thing a Perl advocate trumpets.
      Trumpets by advocates don't create security.

      Just because something isn't secure doesn't mean it can't be useful. CPAN is nothing more than an archive - and an archive with no control. CPAN is made by people. Good coders. Bad coders. Trustworthy coders. Malicious coders. PAUSE is an equal opportunity CPAN portal. Anyone can upload anything. This is CPAN's power. This is also what makes it dangerous. (Just like a motorsaw. Powerful, but dangerous). People should be well aware of the risks. Education is their only safety net.

      Abigail

[reply]

In Section Meditations

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://350006]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (10)
As of 2013-06-19 08:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    How many continents have you visited?









    Results (648 votes), past polls