Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"

CPAN Trojan Horses

by tqisjim (Beadle)
on Jun 28, 2013 at 18:11 UTC ( #1041308=perlquestion: print w/replies, xml ) Need Help??
tqisjim has asked for the wisdom of the Perl Monks concerning the following question:

I'm probably not the only person to write a CPAN module with an unnecessary dependency. In my case, even though the dependency has some peripheral use, admittedly there are ulterior motives. I'm still working out the mechanics of using optional dependencies for optional functionality. Notwithstanding, I think my approach is too sketchy and one concern is that I can get away with it.

The point is: I recently tried to install another module with the same liability. One particular dependency has many other dependencies (A chain of potential Trojan Horses) and the functionality seems irrelevant.

Are there any standard practices that I can refer to? Some way to confirm my suspicions? Ultimately, should I try to sever the unnecessary dependency myself or is there a better approach to achieve the "greater good"?

Thanks- Jim

Replies are listed 'Best First'.
Re: CPAN Trojan Horses
by tobyink (Abbot) on Jun 28, 2013 at 19:52 UTC

    The easy way to do optional dependencies is along these lines:

    use constant HAS_LWP => eval "require LWP::UserAgent"; ...; update_cache() if HAS_LWP; my $data = read_cache();

    In terms of META.yml/META.json, there is a facility to indicate optional dependencies, though I don't see it used very often.

    package Cow { use Moo; has name => (is => 'lazy', default => sub { 'Mooington' }) } say Cow->new->name
Re: CPAN Trojan Horses
by SuicideJunkie (Vicar) on Jun 28, 2013 at 19:37 UTC

    I personally prefer to use the Foo::Tiny modules where possible. Pure perl and all in one place with no dependencies.

    But that's mostly because I don't like hunting down problems in a forest of dependencies and I've been unlucky about that sort of thing early on.

Re: CPAN Trojan Horses
by LanX (Bishop) on Jun 28, 2013 at 18:22 UTC
    I might frontpage the question if it was clearer... =)

    Is it about (irrelevant) dependencies or avoiding trojans or what exactly?

    Cheers Rolf

    ( addicted to the Perl Programming Language)

Re: CPAN Trojan Horses
by bulk88 (Priest) on Jun 29, 2013 at 01:09 UTC
    Trust NOONE. Do not use CPAN. Its filled with spooks and blackhats. See Malware on CPAN.

      Be especially careful with Perl itself. It has a virus that replaces your hard drive's contents with obscene images!

      By putting "use" followed by any "module name" you thought was safe, the irreversible process will begin. Oh the horrors, the scarring caused by those pictures of toads...

      "Excuse me for butting in, but I'm interrupt-driven..."
Re: CPAN Trojan Horses
by sundialsvc4 (Abbot) on Jul 01, 2013 at 11:25 UTC

    I’m a little confused by the use of the term, Trojan Horse, which implies malfeasance . . .

    Do you mean, Dependency Hell?   :-)

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1041308]
Approved by Old_Gray_Bear
Front-paged by tye
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (4)
As of 2018-06-21 18:17 GMT
Find Nodes?
    Voting Booth?
    Should cpanminus be part of the standard Perl release?

    Results (118 votes). Check out past polls.