Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
However, how do I check or validate the authenticity of the libraries/modules (not sure what is the true name) installed from cpan?
See Module::Signature for an optional way for module authors to sign their distributions. If the module is not signed, you can still trust its contents as long as you download the archive from an HTTPS mirror - as long as you trust HTTPS public key infrastructure.
I am worried, because I heard that some libraries on Github had some bitCoin mining software compiled into the library.

For scenarios like this, validating that the package is intact would not help, because that attack was conducted by a person with entirely legitimate uploader rights. If you want to protect yourself from malicious module owners, you have to conduct audits of third-party modules you depend on.

Implementing security audits across a whole repository is not an easy thing to do, since it is a lot of work to do (orders of magnitude more than any package repository is currently doing), it puts hurdles between would-be uploaders and their ability to publish their packages ("What do you mean, I have to wait a few days before my Widget::Frobnicator can be made public? What do you mean, rejected sub blorgle {} is impossible to follow because of goto-based logic coupled with cryptic variable names? Forget it, I'm uploading it on GitHub"), and it doesn't actually solve the problem: you would still have to trust a lot of reviewers instead of trusting a lot of package uploaders.

The R language tries to hold a middle ground by having a policy of always paying more attention to uploads by new maintainers and cases when maintainer e-mail address changes and never accepting binaries (the copay attack had been conducted by placing malicious code in the minified script - equivalent of compiled code in JavaScript world). PAUSE also has complex rules for when it comes to packages changing owners, but it always boils down to verifying the packages you depend upon yourself.

In reply to Re: New to perl - Check authenticity of cpan mods installed/used by aitap
in thread New to perl - Check authenticity of cpan mods installed/used by gradius85

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Are you posting in the right place? Check out Where do I post X? to know for sure.
  • Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
    <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
  • Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
  • Want more info? How to link or How to display code and escape characters are good places to start.
Log In?

What's my password?
Create A New User
Domain Nodelet?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (3)
As of 2023-06-07 18:06 GMT
Find Nodes?
    Voting Booth?
    How often do you go to conferences?

    Results (29 votes). Check out past polls.