I was reading over Jifty last last night and about how it depends on
fifty or so CPAN modules. And also noted the suggestion for
installation:
perl -MCPAN -e 'install Jifty'
which is basically what I do when installing modules (sudo cpan
Foo::Bar).
I woke up a bit paranoid and my thought was:
That's running a lot of code as root. Other than CPAN testers,
are there any safeguards running all these tests and modules as
root?
In general, I prefer to run make and make test as a normal user and
then sudo make install, but sudo cpan sure is easy. But, that's
hardly a complete test of code.
I suspect short of reviewing every line of code it's not really
possible to be completely sure. I was wondering also if something
like Devel::Cover and Safe could help in evaluating code before it
gets run as root or loaded on the production machines.
This isn't a problem specific to Perl, of course, but CPAN does make
it reasonably easy to upload code to share. Plus, I've recently used
modules that depend on other modules that, when I looked at the
source, had what I considered a serious bug. (Yes, I provided
patches.) That's not malicious, but does illustrate the potential.
Am I just worrying too much? ;)
--
Bill Moseley
[EMAIL PROTECTED]
