Skip to main content

sharkey - Link to source

So… npm keeps getting attacked, rubygems has been taken over from the top, I hope PyPI is not having problems…

How come CPAN (and, I guess, CTAN) has never made the news like that?

The worst I can remember is one guy who added a 1-line "phone home" HTTP call to his Makefile.PL, he was gently reminded that it's impolite to do that, and he stopped.

Is #perl just not a big enough target? And back when it would have been, "supply chain" attacks were not in fashion?

#perl

fuzzix reshared this.

in reply to dakkar

Bill Ricker
mastodon - Link to source
Bill Ricker

#Perl projects that have survived mostly don't live-load modules from CPAN during Container/VM startup.* We have a tradition of caching the CPAN versions we tested with and deploying those with our deployments. This greatly increases the chances of being found in a Dev or Test environment and remedied before it gets to Production, vs. liveloading latest bugs from public repository with every container start as NPM.

* Docker manifests may pull CPAN live. I wouldn't recommend that !

#perl
in reply to Bill Ricker

Bill Ricker
mastodon - Link to source
Bill Ricker
git-hub/lab/... CI actions will pull prereqs live. One hopes CI Actions adequately sandbox tests! (And cache prereqs to avoid inadvertent DDOS of upstreams.)
(Yet another reason to have full mockery unit tests and fewer of any full stack tests in the automatic test suite.)