On Tue, Mar 24, 2009 at 10:26, Bob McConnell <r...@cbord.com> wrote:
snip
> As a result, installing a new module on the production server is very
> expensive. It must go through our code review and QA testing as well as
> being repackaged in the correct format for deployment. It is difficult
> to justify this expense. It would require even more effort to justify
> installing directly from CPAN, since none of the modules there have been
> through our code review nor been examined by either our QA staff or the
> PCI auditors.
>
> So don't talk to me about working around the limitations. The auditors
> will almost certainly complain about that. Tell me how to install a new
> module within these rules?
>
> Bob McConnell
>
> (*) PCI-DSS: Payment Card Industry - Data Security Standards
>
You fall into case 5, completely locked down box (which if you recall
is the one I said is difficult to work around). You have two options:
1. Follow the procedures your company had put in place for
new libraries to be put on the box.
2. Provide PAR::Packer executables to QA.
I have been in those environments before, and nobody seems to complain
when a C programmer staticly links a library to his or her program. I
see PAR::Packer as a similar beast; QA gets a monolithic binary that
they can test.
The question you have to ask yourself is whether it is more expensive
to replicate the functionality yourself. For some modules, like the
DBI, the answer is obviously yes. Remember, if you need the
functionality, you still wind up writing a similar amount of code (or
you wind up not implementing all of the corner cases and have buggy
code), so the hit from QAing is going to happen anyway and you will
have wasted the companies time and money writing, often inferior,
code.
Oh, and I would never suggest using CPAN (or CPANPLUS) in a such an
environment. They do not provide a reliable mechanism for backing out
modules. A package management system like RPM is much more
preferable. I have often found that modules that are already packaged
by your vendor (RedHat in this case) get a free pass in environments
like this.
--
Chas. Owens
wonkden.net
The most important skill a programmer can have is the ability to read.
--
To unsubscribe, e-mail: beginners-unsubscr...@perl.org
For additional commands, e-mail: beginners-h...@perl.org
http://learn.perl.org/
