Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it.

Of course, I always download and build all modules as an underpriviledged user, then after inspection, install as root, or even better install to the user's home directory with local::lib

If you want my honest opinion, the biggest source of network related insecurity comes from downloading the numerous precompiled binary libraries and executables, which the various distributions provide. I always compile myself. You should also compile your own kernel and possibly use something like SELinux.

I went through alot of worrying about this 10 years ago, but then I realized that it was a waste of time. What is your computer used for? If it's just a personal computer, not involved in any secret activity, the risk of invasion is so small, that the time it takes to run REAL security is too high related to the risk. If some evil agency wants to get access to your computer, they have easier ways than using CPAN or RPM's. 99% percent of all security comprimises come from within your own circle of trust. A co-worker, a girlfriend, etc. who you allow to use the computer are almost always the culprit. You have to watch out for people with USB-Memory-Sticks. :-) They can boot your computer with an on-key OS, and do whatever they want.

"Another worry I have, although may be unfounded, is that the network security engineers could setup a system where they switch a good download, with one loaded with some malware, thru some temporary DNS chicanery. This would not be CPAN's fault. In this new age of cyber-warfare, I wouldn't put it past the various agencies to try it."

It seems more complicated slight of hand tactics are already in use ;)

For me, the StuxNet and Flame exploits contain one lesson; one which is conveniently overlooked by almost all reporters, probably on the orders of their higher-up owners and editors. It only attacks MS Windows, so anyone still using Windows must be crazy. Especially if you live in the Arab world :-)

Back in the day, when every geek who thought Bill Gates and Windows was in cahoots with the NSA was labeled a kook, we were more vigilant. I always suspected that Windows gained such prominance in the OS market, not because Gates was a genius and Windows was so good, but because it gave big governemnt backdoors into everyone's computers. ( I now don my flame proof suit) :-)

---

I'm not really a human, but I play one on earth.
Old Perl Programmer Haiku ................... flash japh

...and I've never experienced any, at least with the 'name brand' ones that are often recommended here on PerlMonks.

The most popular ones are community tested. Instead of trolling, could you share with us some popular modules you've come across in the 13 years you've been here that may be infected? That would be the responsible thing to do... no?

I've made 10000s of writeups but I dont have a memory, so I need your help to remember what modules on CPAN are, were, or could be malware or they phone homed or dropped a rootkit on a machine or wiped out your home folder or caused a kernel panic.

I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.

I haven't heard of any malicious code upload to CPAN.

I know of 3 in the last 12 years which were quasi-fishy uploads with potential

Mostly its just tar permissions nonsense that linux folks complain to win32 folks -- PAUSE was updated to deal with that (withoutworldwritables)

There was one real phone-home thing, and the author took to the criticism, and stopped doing that

Lots of net/web modules use real-live urls for testing, or try to start servers on local-network instead of explicitly localhost -- I keep fighting this one, but nothing nefarious

There is one thing still on CPAN which could be used for perl rootkits ( i don't want to publicize it) but its NA (45) UNKNOWN (155)

There is one thing still on CPAN which could be used for perl rootkits

If that's a real threat (and not just FUD), you should contact modules@perl.org to discuss it, and maybe request removal of that file.

Perl 6 - the future is here, just unevenly distributed

Oh, I get it. If we use the CPAN, the terrorists win.

"...the terrorists win."

'Former' Counterstrike player here. Is that a good thing or a bad thing?

I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.

If you don't know why you can't use CPAN, then yes, there is no logic to it. If you have a specific reason then that might be logical - even if that specific reason is 'the boss says so'.

As for malware - I have a mini-cpan repository that gets scanned by the local anti-virus on a regular schedule. There are a couple of known viruses in it - but upon examination they are in test suites, so that modules can prove they work correctly when dealing with them. (For instance, there is one in Spamassassin's test suite, which from the comments Spamassassin broke on once.) Other than that, nothing gets found.

Seriously though, I've never thought of this nor had any issues. Do you suspect any specific modules as being evil?

There is no point setting up the spectre of a hypothetical nasty, a straw man, and then calling it a bugaboo and blaming it on CPAN.   You are rattling a chain that isn’t connected to anyone or anything.   You’re arguing for a causal association that simply does not have any meaning at all.   Malice can be done in any language.   In any library.   But a contributed library (Perl or otherwise), which by definition is encountered by and reviewed by a great many people, is far less likely to be a vector for malice than original code which no one other than the disgruntled author may actually see.   There are lots of lone wolves out there, and a few of them might be rabid.   Their malicious tendencies are much more likely to succeed in a “one off” system that only they may see, than by a system that thousands of individuals worldwide must deal with constantly.

Frankly, Win* || MacOS & !OSX have done their best to sheild users from the underlying processes since day 1. It's hard to point fingers at any perl module for attempting to align itself with the OS's policy.

As security goes; the only real-life issue I can ever see actually arising -- which is fairly trivial, would be a case of "DNS cache poisoning" coming from the use some NET::, or DNS:: module. Of course, that also requires the module to be installed globally as root, and for the system to be running an Authoritive DNS service locally. Best practices; keep the cache life very short.

Which brings me to those ^evil^ Win* module writers -- 2 issues:
1) Notepad has been able to read/write LF line endings since WinNT version 4
(cat(1)||awk(1) && sed(1) will correct this for *NIX users).
2) Permissions, eg; 0777. Again, *NIX users have a large toolbox, and can perform the following:

#!/bin/sh
# first, the folders
find . -type d -print | while read i
do

chmod 0755 $i

done
# now, the files
find . -type f -print | while read i
do

chmod 0644 $i

done
# a variation using ls(1) could also have been employed
[download]

All, and all; DO examine the source before making && installing. You'd be surprised how much you can learn -- even from the routines included within the source. :)
--'nuf said.





#!/usr/bin/perl -Tw

use strict;
use perl::always;

my $perl_version( 5.12.4 );

print $perl_version;

Say, why would you do while loop instead of xargs ...

find ... -print0 | xargs -0 chmod ...
[download]

... ?

Somewhat related, I have come to like symbolic permission modes to selectively modify the permissions while preserving the rest ...

# Strip group- & world-write permissions.
chmod -R g-w,o-w directory
[download]

I've been wondering if there is any logic to my "no CPAN" requirements that I have been putting up for 13 years on PerlMonks.

It's called reading the code. Of course, everything can be abused in one way or another, but the trick is to avoid sketchy modules and suspicious authours.
If you are truly paranoid, use a VM image and install it on that to see if it does anything malicious.

Also, while the binary packages for your system can be useful, it's sometimes best to avoid them. On openSUSE, if you become part of the build service, you can upload what you have compiled from the CPAN(for example), with your own malicious tweaks. Of course, that is one way to get nasty emails and negative "internetz". ;-)
As a security precaution, I only use the official repos, which contain tested and verified software. Of course, nothing is guaranteed, and it's always possible something slipped through. Generally, however, I do not use the home:* repos.

A strong claim is made but no evidence was given to back it up. I would love to see an example of a malicious module on CPAN. Does anyone know of such a module in CPAN?

1. scenario by this number — answer: yes, we caught you!
2. scenario by this number — answer: no, because you fail each time!!
3. scenario by this number — answer: beat you with a wet noodle!!!