James Keenan writes: > Pardon my ignorance, but ... > > What is the 'default phone-home behavior' in the Makefile.PL's about > which Randal was complaining?
The author wished to keep track of how widely his modules were used -- at least partially as motivation for bothering to write them. Originally he had something in Makefile.PL which downloaded a file from his own website then executed the contents of that file. (Among other things, it warned the would-be-installer if a newer version of the distro was available.) People pointed out how insecure this is, and the damage that could be done by somebody hijacking his server and substituting a malicious Perl script at that URL. Others simply didn't like the idea at all of being counted and monitored without their consent; this phone-home behaviour happened by default, without warning. Somebody merely running Makefile.PL (or the CPAN shell or whatever) wouldn't expect it. The author responded to the security problem by changing his installers to download a dynamically generated data file, not a Perl script, which still allowed him to do counting and have the installer warn about old versions, but didn't have the security risk. But this still happened without warning, and would be unexpected to most users. Several people, Randal included, found this intrusive and unacceptable. I see that a few weeks ago the author removed all phone-home behaviour, so even this is no longer an issue. Smylers
