Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number

Re: Malware on CPAN

by sundialsvc4 (Abbot)
on Jun 20, 2012 at 13:43 UTC ( #977345=note: print w/replies, xml ) Need Help??

in reply to Malware on CPAN

There is no point setting up the spectre of a hypothetical nasty, a straw man, and then calling it a bugaboo and blaming it on CPAN.   You are rattling a chain that isn’t connected to anyone or anything.   You’re arguing for a causal association that simply does not have any meaning at all.   Malice can be done in any language.   In any library.   But a contributed library (Perl or otherwise), which by definition is encountered by and reviewed by a great many people, is far less likely to be a vector for malice than original code which no one other than the disgruntled author may actually see.   There are lots of lone wolves out there, and a few of them might be rabid.   Their malicious tendencies are much more likely to succeed in a “one off” system that only they may see, than by a system that thousands of individuals worldwide must deal with constantly.

Replies are listed 'Best First'.
Re^2: Malware on CPAN
by taint (Chaplain) on Jun 20, 2012 at 15:40 UTC

    Frankly, Win* || MacOS & !OSX have done their best to sheild users from the underlying processes since day 1. It's hard to point fingers at any perl module for attempting to align itself with the OS's policy.

    As security goes; the only real-life issue I can ever see actually arising -- which is fairly trivial, would be a case of "DNS cache poisoning" coming from the use some NET::, or DNS:: module. Of course, that also requires the module to be installed globally as root, and for the system to be running an Authoritive DNS service locally. Best practices; keep the cache life very short.

    Which brings me to those ^evil^ Win* module writers -- 2 issues:
    1) Notepad has been able to read/write LF line endings since WinNT version 4
    (cat(1)||awk(1) && sed(1) will correct this for *NIX users).
    2) Permissions, eg; 0777. Again, *NIX users have a large toolbox, and can perform the following:

    #!/bin/sh # first, the folders find . -type d -print | while read i do chmod 0755 $i done # now, the files find . -type f -print | while read i do chmod 0644 $i done # a variation using ls(1) could also have been employed

    All, and all; DO examine the source before making && installing. You'd be surprised how much you can learn -- even from the routines included within the source. :)
    --'nuf said.

    #!/usr/bin/perl -Tw
    use strict;
    use perl::always;
    my $perl_version( 5.12.4 );
    print $perl_version;

      Say, why would you do while loop instead of xargs ...

      find ... -print0 | xargs -0 chmod ...

      ... ?

      Somewhat related, I have come to like symbolic permission modes to selectively modify the permissions while preserving the rest ...

      # Strip group- & world-write permissions. chmod -R g-w,o-w directory

        Say, why would you do while loop instead of xargs ...
        find ... -print0 | xargs -0 chmod ...
        ... ?

        For consistency across *NIX's && versions || find(1) is guaranteed to return the same results, regardless of *NIX || version. :)

        #!/usr/bin/perl -Tw
        use strict;
        use perl::always;
        my $perl_version( 5.12.4 );
        print $perl_version;

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://977345]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (5)
As of 2018-05-27 08:42 GMT
Find Nodes?
    Voting Booth?