Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

comment on
( [id://3333]=superdoc: print w/replies, xml ) Need Help??
Says jeffa:
Well, rest assured, there won't be any in a CPAN module, and if there is, it will be there for all to see in plain daylight.
Oh? It used to be that when you ran the Makefile.PL for Memoize, you got the following output:

system("rm -rf /");

[download]
(Then there was a three second pause.) 

This is only a test.  I did not actually try to erase all your files.
Sorry if you were alarmed.

Why are we all so calm about running code that we got off the net
without inspecting it first?

I would like to call for greater awareness of this problem.  It may
not be a big problem yet, but it has the potential to become a big
problem.  Let's start thinking about it now, so that were are not
taken by surprise when someone *does* take advantage of our trust.

What can be done about this?
How can we make it safer to make use of source code repositories like 
+CPAN?

As an incentive to greater vigilance, the next version of this
Makefile.PL REALLY WILL run rm -rf / one time in one thousand.

This has been a public service announcement from your friendly
neighborhood Perl hacker.

[download]
I still think we don't take this seriously enough. It's not enough to say that the trap will "be there for all to see in broad daylight." People don't look at the code before they run it; even when they do, there's no channel for them to warn others.

I think we need to do something about this. Michael Schwern's CPANTS project looked promosing, but then he abandoned it. I'd like to see peer review of CPAN modules and a database of reviews.

In reply to Re: A Fit on NIH by Dominus
in thread A Fit on NIH by footpad

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":


  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others contemplating the Monastery: (4)
As of 2024-04-24 22:21 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found