Patrick.Griffin@shell.ca [Patrick.Griffin@shell.ca] quoth:
*>Just downloaded my first CPAN module (woo-hoo). What risks are
*>associated with installing these modules? Are they checked for viruses,
*>etc. before posting?
No more than with anything else you download from the net and install onto
a system. Modules aren't audited upon upload but an MD5 checksum is
generated which you can use either manually or with CPAN.pm to verify
the validity of the distribution but, again, this isn't a foolproof
guarantee of secure non-malicious code. The CPAN Testers tend to validate
and test quite a few modules to catch such problems early. Identifying
malicious code in perl modules would also prove to be a daunting task
considering the volume and range of skill.
Over the last 7 years, we haven't had any problems of this nature and
hopefully it will remain that way in spite of the fact that, with over 200
independent mirrors around the globe, it would be very easy to distribute
such a file and very difficult to provide a system that would safeguard
against it if the point of origination was PAUSE. So far people seem to
respect the space and find other things to entertain themselves with. We
have discussed such things as a fingerprint database but, again, it
wouldn't be 100% secure.
As with everything, caveat emptor.