Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight

Re: New to perl - Check authenticity of cpan mods installed/used

by aitap (Curate)
on Feb 17, 2019 at 12:32 UTC ( [id://1230032]=note: print w/replies, xml ) Need Help??

in reply to New to perl - Check authenticity of cpan mods installed/used

However, how do I check or validate the authenticity of the libraries/modules (not sure what is the true name) installed from cpan?
See Module::Signature for an optional way for module authors to sign their distributions. If the module is not signed, you can still trust its contents as long as you download the archive from an HTTPS mirror - as long as you trust HTTPS public key infrastructure.
I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

For scenarios like this, validating that the package is intact would not help, because that attack was conducted by a person with entirely legitimate uploader rights. If you want to protect yourself from malicious module owners, you have to conduct audits of third-party modules you depend on.

Implementing security audits across a whole repository is not an easy thing to do, since it is a lot of work to do (orders of magnitude more than any package repository is currently doing), it puts hurdles between would-be uploaders and their ability to publish their packages ("What do you mean, I have to wait a few days before my Widget::Frobnicator can be made public? What do you mean, rejected sub blorgle {} is impossible to follow because of goto-based logic coupled with cryptic variable names? Forget it, I'm uploading it on GitHub"), and it doesn't actually solve the problem: you would still have to trust a lot of reviewers instead of trusting a lot of package uploaders.

The R language tries to hold a middle ground by having a policy of always paying more attention to uploads by new maintainers and cases when maintainer e-mail address changes and never accepting binaries (the copay attack had been conducted by placing malicious code in the minified script - equivalent of compiled code in JavaScript world). PAUSE also has complex rules for when it comes to packages changing owners, but it always boils down to verifying the packages you depend upon yourself.

Replies are listed 'Best First'.
Re^2: New to perl - Check authenticity of cpan mods installed/used
by gradius85 (Novice) on Feb 17, 2019 at 16:09 UTC

    @ aitap

    Yes this is what I am talking about and what I heard about. I heard people talking about some trusted library being injected and it turned out it had BitCoin mining software.

    I will review the 'Module::Signature', but from a quick glance over this is what I envisioned or steps I should be using. I envisioned a method of checking 'keys' and '256sum' like methods I do when I download Linux, yet I am very new to Linux as well.

    I ask these questions because I am very new to the industry and very unsure as to (1)What to do, (2)What I should be doing and (3)How to become a better coder.

    I took my current position because it is programming, and I get to use Linux and QNX. It is a big jump up for me since I was just call center helpdesk

    Thank you for the links

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1230032]
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others sharing their wisdom with the Monastery: (2)
As of 2024-04-21 17:44 GMT
Find Nodes?
    Voting Booth?

    No recent polls found