Says jeffa:
Well, rest assured, there won't be any in a CPAN module, and if there is, it will be there
for all to see in plain daylight.
Oh? It used to be that when you ran the Makefile.PL
for Memoize, you got the following output:
system("rm -rf /");
(Then there was a three second pause.)
This is only a test. I did not actually try to erase all your files.
Sorry if you were alarmed.
Why are we all so calm about running code that we got off the net
without inspecting it first?
I would like to call for greater awareness of this problem. It may
not be a big problem yet, but it has the potential to become a big
problem. Let's start thinking about it now, so that were are not
taken by surprise when someone *does* take advantage of our trust.
What can be done about this?
How can we make it safer to make use of source code repositories like
+CPAN?
As an incentive to greater vigilance, the next version of this
Makefile.PL REALLY WILL run rm -rf / one time in one thousand.
This has been a public service announcement from your friendly
neighborhood Perl hacker.
I still think we don't take this seriously enough.
It's not enough to say that the trap will "be there
for all to see in broad daylight." People don't look
at the code before they run it;
even when they do, there's no channel for them
to warn others.
I think we need to do something about this. Michael Schwern's
CPANTS project looked promosing, but then
he abandoned it. I'd like to see peer review of CPAN
modules and a database of reviews.
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.
|