Beefy Boxes and Bandwidth Generously Provided by pair Networks
Pathologically Eclectic Rubbish Lister
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
It's exactly that ;-). Just try to install an old version and you will have a prompt telling you that you are installing an old version

If they're installing automatically from CPAN they'll get the latest CPAN version automatically.

If they're deliberately requesting and older version then they're doing it deliberately and don't want the warning.

If your site has a more up-to-date version than the one on CPAN surely its your job to get the latest version uploaded to PAUSE ;-)

In any case this doesn't need you to execute arbitrary code - you just need to fetch the version number and do a comparison.

and for the counter... knowing how many people find useful my work is one of the reasons that make me publish my modules ;-)

If you really have to have a counter then a simple HTTP GET will do the job (it can be the GET you use to get the current version if you really want to do the version checking twice).

A count of module usage produced in this way will, of course, be wildly inaccurate since there are lots of installs that have nothing to do with actual usage (CPAN testers, people who are curious but never use, etc.)

Well, if you go through some old version of my modules, the Makefile.PL had a prompt. After receiving a lot of users' complaint i take off the prompt. No secret backdoor.

Just because people didn't like the warning doesn't mean it shouldn't have been there. I for one would be extremely annoyed if a CPAN module was downloading an executing code that I didn't see first. Especially since in this instance there is no need to download and execute arbitrary code. From the other reactions here many people seem to share that opinion.

The effort and time that require writing modules like CGI::Builder and related documentation is a little bit TOO MUCH to be wasted in similar stupid hacks.

Unfortunately there is a large body of evidence that nasty people are willing to expend foolishly large amounts of time and effort in producing exploits.

Note: I am not trying to imply that you are such a nasty person. As a human being I try to be all nice and fluffy and trust people until they do something to demonstrate that I can't trust them. I like living my live that way.

However, as a computing professional I can't trust something that runs arbitrary code on my or my clients machines. With your system look at who I have to trust (in addition to CPAN):

  • I have to trust that the code that is downloaded is actually okay and I have to go through another step to download and inspect it.
  • I have to trust that you are not an evil person who is deliberately trying to exploit my machine. You might be doing really evil things like only putting the exploit in every 8th download so a simple check on what's downloaded isn't enough.
  • I have to trust that somebody has not cracked your box and is feeding us an exploit without your knowledge.
  • I have to trust everything between my box and your box is not pretending to be your box and feeding me an exploiit.
  • etc.
I think that a possible solution may be adding an expiration date in the code in the Makefile.PL, thus if it runs after that date, it just warn the user of the probably old version and does nothing with perl.4pro.net.

This only reduces the window of opportunity. It does not remove it.

Any other suggestion?
  1. Just don't do it at all. Let CPAN handle your versioning problems. Get your feedback from users via e-mail, cpanratings, etc. Learn not to worry about the number of times your code is installed since it doesn't really mean much.
  2. If you really cannot cope without some meaningless numbers do not download and execute arbitrary code. You don't need to do so if all you want to do is check a version number or get a count of the number of times Makefile.PL is run.
  3. Ask the user before starting any network connections off your own back.

In reply to Re^4: CGI::Application vs CGI::Builder by adrianh
in thread CGI::Application vs CGI::Builder by gryphon

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others drinking their drinks and smoking their pipes about the Monastery: (11)
    As of 2019-12-09 15:12 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found

      Notices?