Well, I don't think it's odd for large business to do some testing before using random pieces of code downloaded from the internet before using them in their programs. In fact, I would find it odd for a business *not* to do so. Regardless whether that piece of code was written in Perl, C, Java or vi macros. Core modules are part of the main distribution, and those have been through the hands of p5p - who has a proven track record of producing good code. But Joe Random Hacker does not.

Abigail

Thanks for the reply. With regards to being able to start a quality control mechanism now, are you just referring to signing the modules? If so, how would you deal with other CPAN mirrors not following the practice? Any other suggestions how to go about creating a quality-control mechanism?

The idea for some kind of quality contol of CPAN modules is actually quite old, but I've never done anything with it. Many people have had ideas, but it all turned out to be harder than you would think.

But this has nothing to do with signing modules. Or CPAN mirrors following some practise. Quality control is saying "this module rocks" and "that module sucks", but then in a polite and useful way.

Signing modules have all to do with authentication. There's no real signing going on right now, but for all modules, a MD5 hash is stored in the CHECKSUMS file in the authors CPAN directory. You could always check the MD5 hash from a module you downloaded against the MD5 hash stored on a CPAN mirror you trust.

And of course, module authors could always leave a PGP signature of the files containing code in their module distribution.

Abigail