Should We Let Perl Download and Install Its Own Modules?

CPAN, the Comprehensive Perl Archive Network, is a network of Perl software archives around the world. Perl version 5.6.x includes modules (CPAN and CPAN::FirstTime, among others) that allow it to fetch, verify the checksums of and even use gcc to compile Perl modules from CPAN sites on the Internet. In-depth descriptions of CPAN and Perl's CPAN functionality are beyond this article's scope, but I have one hint and one warning to offer.

First the hint. To install the module Example::Module (not a real Perl module), you enter the command:

perl -MCPAN -e 'install Example::Module"

If it's the first time you've used the -MCPAN flag, the module CPAN::FirstTime will be triggered, and you'll be asked to choose from various options as to how Perl should fetch and install modules from CPAN. These are well-phrased questions with reasonable defaults. But do pay attention to the output while this command executes: the module you're installing may depend on other modules and may require you to go back and execute, for example, enter

perl -MCPAN -e 'install Example::PreRequisite"

before making a second attempt at installing the first module.

And now for the warning: using CPAN is neither more nor less secure than downloading and installing any other software from any other internet source. In my opinion the CPAN utilities seem to be reasonably secure; before being installed, each downloaded module is automatically checked against a checksum that incorporates a cryptographically strong MD5 hash.

However, even assuming a given package's checksum probably won't be replaced along with a tampered-with module (a big assumption), all this protects against is the unauthorized alteration of software after it's been uploaded to CPAN by its author. There's nothing to stop an evil registered CPAN developer (anybody may register as one) from uploading hostile code along with a valid checksum. Note there's nothing to stop that evil developer from posting bad stuff to SourceForge or Freshmeat, either.

Thus, and I hope I'm not belaboring this point, if you really want to be paranoid, the most secure way to install a given Perl module is to:

1. Identify/locate the module on http://search.cpan.org/.
2. Follow the link to CPAN's page for the module.
3. Download the module not from CPAN but from its developer's official web site (listed under “Author Information” in the web page referred to in Step 2, above).
4. If available, also download any checksum or hash provided by the developer for the tarball you just downloaded.
5. Use gpg, md5, etc., to verify that the tarball matches the hash (hmm, that might make a good Paranoid Penguin column in itself). There are several different integrity-checking methods in common use by software distributors besides md5, but none of them are commonly used by many end users.
6. Unzip and expand the tarball, e.g.,

tar -xzvf groovyperlmod.tar.gz

1. If you're a righteously paranoid kung-fu master or aspire to become one, review the source code for sloppiness and/or shenanigans, report your findings to the developer and/or the world at large and bask in the Open Source community's awe and gratitude. (Open-source code is truly open only when people bother to examine it!)
2. Follow the module's building and installing directions, usually contained in a file called INSTALL and generally amounting to something like:

perl ./Makefile.PL
make
make test
make install

Note that if the modules you need are brought to your attention by swatch's Makefile.PL script, then to use the paranoid installation method you'll want to write down the needed module names and kill that script (via plain old Ctrl-C) before installing the modules and rerunning swatch's Makefile.PL.

There's actually a third way to install missing Perl modules: from your Linux distribution's FTP site or CD-ROM. While none approach CPAN's selection, most Linux distributions have packaged versions of the most popular Perl modules. See the table below for the modules you need for swatch and the packages that contain them in Red Hat 7 and Debian 2.2.

swatch Modules

None of this may seem terribly specific to swatch, and indeed it isn't, but it is important—more and more useful utilities are being released either as Perl modules or as Perl scripts that depend on Perl modules, so the chances are that swatch will not be the last Makefile.PL-based utility you install. Understanding some ramifications of all this module madness is worth the liter of ink I just spent on it, trust me.