On Mon, Nov 25, 2002 at 07:31:35PM -0700, Rob Nagler wrote: > Matt Sergeant writes: > > There's a huge difference in what they are trying to achieve though. > > POE doesn't open any files and it doesn't write any files to disk. None > > of it is written in C (yet), so unless there's a buffer overrun or type > > mismatch bug in perl you can exploit, you're not going to get in that > > way. > > I agree that Perl is a "safe" language (independent of taint, which > adds safety). Unfortunately, there has been a history of insecure Perl > programs (formail.pl, I think being the most famous). This may be > a consequence of "bad programming", but you have to look at the > average if you are selecting a system without reviewing every line of > code, i.e., performing a security audit.
Rating all of CPAN according to the quality of the average module does a disservice to its better half. Depreciating its good distributions also feeds into the myth that all Perl software is shoddy. > I trust Linux more than Apache, for example, because Linux is not only > older, but was built using an interface design which is 30 years old > and has been allowed to evolve. It seems naive to assume that an older project is more reliable than a younger one. Inception dates have no bearing on the age and quality of source code, otherwise djbdns would be considered less reliable than bind. > > I'm not honestly suggesting it's bug free, but I fail to see how a bug > > in POE would give you access to the system. > > Use of a user string incorrectly in a "system" or "open" might do it. > Also, an incorrect chown, chmod, umask, etc. A casual grep through POE's source would reveal that it doesn't do any of this. You seem to be making claims against POE based on broad generalization rather than research. Regardless of your intent, representing these opinions as facts does damage the project's reputation, since they are available out of context and "forever" through the list's archives. -- Rocco Caputo - [EMAIL PROTECTED] - http://poe.perl.org/
