On Tue, Mar 24, 2009 at 10:26, Bob McConnell <r...@cbord.com> wrote: snip > As a result, installing a new module on the production server is very > expensive. It must go through our code review and QA testing as well as > being repackaged in the correct format for deployment. It is difficult > to justify this expense. It would require even more effort to justify > installing directly from CPAN, since none of the modules there have been > through our code review nor been examined by either our QA staff or the > PCI auditors. > > So don't talk to me about working around the limitations. The auditors > will almost certainly complain about that. Tell me how to install a new > module within these rules? > > Bob McConnell > > (*) PCI-DSS: Payment Card Industry - Data Security Standards >
You fall into case 5, completely locked down box (which if you recall is the one I said is difficult to work around). You have two options: 1. Follow the procedures your company had put in place for new libraries to be put on the box. 2. Provide PAR::Packer executables to QA. I have been in those environments before, and nobody seems to complain when a C programmer staticly links a library to his or her program. I see PAR::Packer as a similar beast; QA gets a monolithic binary that they can test. The question you have to ask yourself is whether it is more expensive to replicate the functionality yourself. For some modules, like the DBI, the answer is obviously yes. Remember, if you need the functionality, you still wind up writing a similar amount of code (or you wind up not implementing all of the corner cases and have buggy code), so the hit from QAing is going to happen anyway and you will have wasted the companies time and money writing, often inferior, code. Oh, and I would never suggest using CPAN (or CPANPLUS) in a such an environment. They do not provide a reliable mechanism for backing out modules. A package management system like RPM is much more preferable. I have often found that modules that are already packaged by your vendor (RedHat in this case) get a free pass in environments like this. -- Chas. Owens wonkden.net The most important skill a programmer can have is the ability to read. -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/