|go ahead... be a heretic|
Re^4: CGI::Application vs CGI::Builderby adrianh (Chancellor)
|on May 03, 2004 at 14:26 UTC||Need Help??|
It's exactly that ;-). Just try to install an old version and you will have a prompt telling you that you are installing an old version
If they're installing automatically from CPAN they'll get the latest CPAN version automatically.
If they're deliberately requesting and older version then they're doing it deliberately and don't want the warning.
If your site has a more up-to-date version than the one on CPAN surely its your job to get the latest version uploaded to PAUSE ;-)
In any case this doesn't need you to execute arbitrary code - you just need to fetch the version number and do a comparison.
and for the counter... knowing how many people find useful my work is one of the reasons that make me publish my modules ;-)
If you really have to have a counter then a simple HTTP GET will do the job (it can be the GET you use to get the current version if you really want to do the version checking twice).
A count of module usage produced in this way will, of course, be wildly inaccurate since there are lots of installs that have nothing to do with actual usage (CPAN testers, people who are curious but never use, etc.)
Well, if you go through some old version of my modules, the Makefile.PL had a prompt. After receiving a lot of users' complaint i take off the prompt. No secret backdoor.
Just because people didn't like the warning doesn't mean it shouldn't have been there. I for one would be extremely annoyed if a CPAN module was downloading an executing code that I didn't see first. Especially since in this instance there is no need to download and execute arbitrary code. From the other reactions here many people seem to share that opinion.
The effort and time that require writing modules like CGI::Builder and related documentation is a little bit TOO MUCH to be wasted in similar stupid hacks.
Unfortunately there is a large body of evidence that nasty people are willing to expend foolishly large amounts of time and effort in producing exploits.
Note: I am not trying to imply that you are such a nasty person. As a human being I try to be all nice and fluffy and trust people until they do something to demonstrate that I can't trust them. I like living my live that way.
However, as a computing professional I can't trust something that runs arbitrary code on my or my clients machines. With your system look at who I have to trust (in addition to CPAN):
I think that a possible solution may be adding an expiration date in the code in the Makefile.PL, thus if it runs after that date, it just warn the user of the probably old version and does nothing with perl.4pro.net.
This only reduces the window of opportunity. It does not remove it.
Any other suggestion?