Re: CPAN viruses
[EMAIL PROTECTED] [[EMAIL PROTECTED]] quoth: *Hello: *Just downloaded my first CPAN module (woo-hoo). What risks are *associated with installing these modules? Are they checked for viruses, *etc. before posting? No more than with anything else you download from the net and install onto a system. Modules aren't audited upon upload but an MD5 checksum is generated which you can use either manually or with CPAN.pm to verify the validity of the distribution but, again, this isn't a foolproof guarantee of secure non-malicious code. The CPAN Testers tend to validate and test quite a few modules to catch such problems early. Identifying malicious code in perl modules would also prove to be a daunting task considering the volume and range of skill. Over the last 7 years, we haven't had any problems of this nature and hopefully it will remain that way in spite of the fact that, with over 200 independent mirrors around the globe, it would be very easy to distribute such a file and very difficult to provide a system that would safeguard against it if the point of origination was PAUSE. So far people seem to respect the space and find other things to entertain themselves with. We have discussed such things as a fingerprint database but, again, it wouldn't be 100% secure. As with everything, caveat emptor. e. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CPAN viruses
Patrick == Patrick Griffin [EMAIL PROTECTED] writes:
Patrick Hello: Just downloaded my first CPAN module (woo-hoo).
Patrick What risks are associated with installing these modules?
In theory, many.
Patrick Are they checked for viruses, etc. before posting?
Nope. If you're using the CPAN installer, they'll be checked against
the checksum list - you can be sure that you're installing the same file
that was uploaded to the server by the developer. However, there's
nothing to stop anyone uploading a script that runs 'rm -rf /' and
getting you to type 'perl -MCPAN -e 'install Helpful::Script'' - it's
trivial to get a CPAN account, and new uploads aren't vetted.
In theory, though, it's likely that such a module would be noticed very
quickly indeed, and removed of anything harmful. Hopefully.
- Chris.
--
$a=printf.net; Chris Ball | chris@void.$a | www.$a | finger: chris@$a
chris@lexis:~$ perl -le'@a=($^O eq 'darwin')?qw(100453 81289 9159):qw
(23152 19246 2040);while(){chomp;push @b,$_ if grep {$.==$_}@a}push
@b,$^X;print ucfirst join( ,@b[2,0,3,1]).,'/usr/share/dict/words
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: CPAN viruses
When I download something (depending on how large it is/how much I trust) I get the source code, scan it for anything dodgy (including the makefile/make make script) and if all seems ok, compile and install. If you can avoid it, never compile/install as root. I generally compile the modules as an unprivalidged user, and copy them to ~/lib/perl5/ and add the following to by script: use lib ./lib/perl5/; before any other use commands. A. On Wed, 5 Jun 2002 [EMAIL PROTECTED] wrote: Hello: Just downloaded my first CPAN module (woo-hoo). What risks are associated with installing these modules? Are they checked for viruses, etc. before posting? - Pat -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CPAN viruses
On Wednesday, June 5, 2002, at 09:49 , Alan John Drew wrote: [..] If you can avoid it, never compile/install as root. I generally compile the modules as an unprivalidged user, and copy them to ~/lib/perl5/ and add the following to by script: use lib ./lib/perl5/; before any other use commands. Is it just me or is there a reason that you haven't simply done the canonical perl Makefile.PL PREFIX=~/lib/perl5 to begin with We generically agree on 'do not compile as root' - and that you should think about having the /usr/local/lib/perl5 || /usr/lib/perl5 owned by your 'group' so that you can install based upon your group permission - or the older *nix hack of just allowing it to be world writable - no longer advocated - or have a PerlGeeks group so that all of the PerlGeeks can whack in what they find amusing ciao drieux --- Patrick now that you are on the fast track to hell - what you will also want to get into is: vladimir: 62:] cat base* Digest-MD5-2.16 HTML-Parser-3.26 HTML-Tagset-3.03 MIME-Base64-2.12 URI-1.18 libnet-1.11 libwww-perl-5.64 vladimir: 63:] so that you can move on to doing things you would have done with rsh/rlogin as webLets -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CPAN viruses
drieux, et al -- ...and then drieux said... % % On Wednesday, June 5, 2002, at 09:49 , Alan John Drew wrote: % [..] % If you can avoid it, never compile/install as root. I % generally compile the modules as an unprivalidged user, and copy them to % ~/lib/perl5/ and add the following to by script: % % use lib ./lib/perl5/; % % before any other use commands. % % Is it just me or is there a reason that you haven't simply % done the canonical % %perl Makefile.PL PREFIX=~/lib/perl5 % % to begin with Maybe he doesn't trust makefiles :-) Maybe he has to support multiple architectures and is #!#$%@ frustrated because makemaker doesn't know from SITEARCHLIB (oops, did anyone notice my little rant?). Of course, if you were talking about the use lib bit, we can probably figure that he's using the system perl with his private lib dir, right? % % We generically agree on 'do not compile as root' - and that % you should think about having the % % /usr/local/lib/perl5 || /usr/lib/perl5 % % owned by your 'group' so that you can install based upon Not bad, but then it leaves things writable, which also isn't good. Better to check the makefile and then install as root than to leave it writable by a user. % your group permission - or the older *nix hack of just % allowing it to be world writable - no longer advocated - Ah, those were the days... % or have a PerlGeeks group so that all of the PerlGeeks % can whack in what they find amusing That's a good thought; I tend to like VENDORLIB for that one since we cheap geeks don't buy anything :-) % % ciao % drieux HTH HAND :-D -- David T-G * It's easier to fight for one's principles (play) [EMAIL PROTECTED] * than to live up to them. -- fortune cookie (work) [EMAIL PROTECTED] http://www.justpickone.org/davidtg/Shpx gur Pbzzhavpngvbaf Qrprapl Npg! msg25498/pgp0.pgp Description: PGP signature
