Beefy Boxes and Bandwidth Generously Provided by pair Networks
We don't bite newbies here... much
 
PerlMonks  

Re^3: Getting Fed Up with ActiveState

by BrowserUk (Pope)
on Dec 03, 2006 at 19:10 UTC ( #587535=note: print w/ replies, xml ) Need Help??


in reply to Re^2: Getting Fed Up with ActiveState
in thread Getting Fed Up with ActiveState

Yes, you read that right. I'm violating my own advice here.

S'funny how things are okay for 'special cases', when those special cases are close to our own hearts.

The people who have set up CPAN mirrors are donating their bandwidth and storage.

Some interesting numbers. Template::Toolkitv2.15.zip PPM is 494 Kb.

Template::Toolkitv2.15 .tar.gz is 761 Kb.

There are currently no less than 15 versions of the latter being mirrored. Loosing two of those old versions (to say backpan) would allow 3 versions of the PPM to be held without creating any extra demand on the mirrors.

the distribution of binaries from untrusted sources is a major security issue.

Do you inspect every line of every source file in each package you install? What about all the .t files? Does anyone?

Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.

There is a pervasive logical disconnect here that says source is safe and binary not. But pervasive does not mean correct. Any and all software sourced from outside your organisation is potentially dangerous. And the idea that all the risks are negated by the potential for visual inspection, even if anyone actually did that--which they don't--is so profoundly wrong, that the idea itself, and those that expound it, should be actively and vigorously countered at every opportunity.


Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.


Comment on Re^3: Getting Fed Up with ActiveState
Re^4: Getting Fed Up with ActiveState
by tsee (Curate) on Dec 03, 2006 at 19:25 UTC

    Addressing your remark about special cases: It wasn't me who started doing those binary releases of PAR. I just became responsible for the PAR releases and continued ongoing practice.

    Whether 15 versions of Template::Toolkit should be supplied via CPAN is an entirely different question than whether we should add various PPM packages per distribution.

    Furthermore, I do know organizations who only allow thoroughly inspected code to be used. But that doesn't matter. It's a question of principle.

    Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.

    That's ridiculous. Disassemble shared libraries? I don't think so. Also, you suggested that anybody should be able to upload PPMs for any modules.

    Steffen

      That's ridiculous. Disassemble shared libraries?

      It would be, had that been what I suggested, but I did not. But that you bring it up as a strawman to knock down signposts your intent.

      Ensuring the integrity of your systems by static inspection of code is impossible, even for only moderately complex software.

      The correct way to test software is by running it and observing it's behaviour. Eg. In a sandox environment. Anything less is make-work for a false sense of security.

      you suggested that anybody should be able to upload PPMs for any modules.

      Where?


      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.
        Where?

        I'm sorry. You didn't suggest that anybody should be able to upload PPMs for any modules. I read through the whole thread including Limbic Region's post which is quoted below and several of your posts. I mixed them up. I was confident that you wrote that. I should have double-checked. Sorry.

        Limbic Region wrote:

        If the author didn't develop on Win32 there should still be a mechanism to allow someone else to provide the binary distribution.

        Steffen

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://587535]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (5)
As of 2014-10-23 03:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (123 votes), past polls