Documentation yes, source no. I don't consider it practical to read the source to all the software I install. Even if I did, it would be trivial to obfuscate some damaging payload beyond my abilities to work out what it means in anything like a reasonable timeframe.cos everyone reads the documentation before installing stuff, right?
I suppose CPAN.pm could have an option to install programs in a safely chrooted environment first to see what they did? It would be nice if it could run the make and make test as a low-priviledge user and then switch to being root for the make install. Maybe CPAN can do this already?
I suppose the great and good could take it upon themselves to manually run / inspect CPAN content and sign it digitally as being approved, rather like Microsoft's Authenticode stuff. I have no idea if this is technically practical, let alone actually practical.
--
Jonathan Peterson
Technical Manager, Unified Ltd, +44 (0)20 7383 6092
[EMAIL PROTECTED]
