Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
I've never heard of any malware, but I do worry, especially when running cpan as root. The most noticed unfounded worry for me, is seeing in some modules, written on Windows I presume, files that unpack on Linux in mode 777, executable by anyone. Many of these files are just text files, but they could be sprinkled with bash commands. Nothing has ever happened though, so I don't worry much, but I shudder every time I see them in an unpacked module.

Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it.

Of course, I always download and build all modules as an underpriviledged user, then after inspection, install as root, or even better install to the user's home directory with local::lib

If you want my honest opinion, the biggest source of network related insecurity comes from downloading the numerous precompiled binary libraries and executables, which the various distributions provide. I always compile myself. You should also compile your own kernel and possibly use something like SELinux.

I went through alot of worrying about this 10 years ago, but then I realized that it was a waste of time. What is your computer used for? If it's just a personal computer, not involved in any secret activity, the risk of invasion is so small, that the time it takes to run REAL security is too high related to the risk. If some evil agency wants to get access to your computer, they have easier ways than using CPAN or RPM's. 99% percent of all security comprimises come from within your own circle of trust. A co-worker, a girlfriend, etc. who you allow to use the computer are almost always the culprit. You have to watch out for people with USB-Memory-Sticks. :-) They can boot your computer with an on-key OS, and do whatever they want.

I'm not really a human, but I play one on earth.
Old Perl Programmer Haiku ................... flash japh

In reply to Re: Malware on CPAN by zentara
in thread Malware on CPAN by Anonymous Monk

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    [Veltro]: Eily That is just how life rolls. Sometimes you start doing something and only later you start to realize the consequece hehe
    [Eily]: Discipulus well, $ for $calar makes sense, I don't know how we would explain the
    [Discipulus]: i was given 20 pages of introduction to perl, in eatalian buy a guy who tech us hoou to set up a little linux network: I have to find him a give some red wine
    [Discipulus]: it was 1999
    [Veltro]: I started programming perl because of while(<>){ s/.../.../} One week later I was programming all kinds of different stuff.

    How do I use this? | Other CB clients
    Other Users?
    Others meditating upon the Monastery: (10)
    As of 2018-06-22 09:23 GMT
    Find Nodes?
      Voting Booth?
      Should cpanminus be part of the standard Perl release?

      Results (123 votes). Check out past polls.