On Fri, Oct 12, 2007 at 05:50:25PM +0100, David Cantrell wrote:
> On Thu, Oct 11, 2007 at 06:31:28PM +0100, Andy Armstrong wrote:
>
> > That doesn't stop make install doing something hoopy as root of course.
>
> Nor does it prevent the module from having this buried in it:
>
> if($> == 0) { system("rm -rf /&") }
>
> and even running as a non-root user, rm -rf $HOME in the Makefile.PL is
> going to be pretty damned annoying. Ultimately, if you're paranoid
> about code you're getting from the interwebs, then you need to take the
> time to read and understand it all.
Which is what prompted my post -- Jifty makes a point of how many
dependencies it uses. Reading all the code is next to impossible.
Maybe make test could report lines of code not executed (Devel::Cover,
perhaps). That would be ugly if not overwhelming.
I doubt Safe could be used in a way that would not break things.
And luckily, malicious code would get caught and reported pretty fast.
> Good luck :-)
Yep, so far, so good.
Now, where did we put that backup?
--
Bill Moseley
[EMAIL PROTECTED]
