It's not that hard to parse a simple Makefile.PL, and a pile of RDF can't represent a complicated one anyways (e.g. can RDF prompt the user for optional deps?). If you want to make things really easy for yourself, use a standard format for your Makefile.PL, which your tools know how to parse. Besides, if you're honestly dealing with modules you trust so little, you should probably audit all the code, including both Makefile.PL and the big pile of stuff in inc/.
In any case, CPAN Testers somehow manages to run oodles of untrusted code without any systems being hosed. | [reply] |