Michael G Schwern wrote:
Some malicious user, who has somehow gotten an account on your machine, and
can see inside your .cpanplus build directory (which he shouldn't because it
should only be readable by you), might at just the right exact moment when
you're about to run THE ALREADY UNTRUSTED CODE replace it with a malicious
attack.
Instead of, oh I don't know, just uploading a tarball to CPAN that already has
a malicious Makefile.PL in it and nuking the whole CPAN Testers network.
You're assuming that the build is happening just by a smoke tester. I think that the OP is just
pointing out that he noticed this on his smoker, but the problem exists outside that env too.
Say I'm using a CPAN module that I've vetted before and know the code is not going to do something
malicious. If I don't know that world writeable files are a problem or that this module contains
them (because there aren't kwalitee points to say otherwise :) and another user on my machine does,
then ugly brown stuff can hit spinning blades designed to circulate air.
--
Michael Peters
Plus Three, LP
