[Pdx-pm] CPAN updates vs vendor updates
Eric Wilhelm
scratchcomputing at gmail.com
Tue Aug 26 20:05:50 PDT 2008
# from Keith Lofstrom
# on Tuesday 26 August 2008 19:41:
>> Yes. I'm not sure what sort of security enhancements you were
>> getting from the RPMs, but the main thing you notice when installing
>> directly from CPAN is that the latest and greatest is always assumed
>> to be stable. ...
>
>Shudder. The usual distro updates are to fix exploitable security
>holes or repair disabling bugs, but to not add features or improve
>performance. Some regression testing is implied. I assume that
>some CPAN modules are barely tested and there is little preventing
>them from having more bugs and security holes than their predecessors;
>some may even be nonfunctional.
Well, you're assuming that your vendor has done extensive compatibility
testing on all of the perl modules.
You can lookup a module's results on cpantesters.
http://cpantesters.perl.org/show/Math-GSL.html
Now, that only gives you the OK for all of the current states of the
dependencies (as found on CPAN at the time of the test), but that tends
to keep things in a working state for the case of "If I startup CPAN.pm
on a fresh install, it will pass."
Of course, if redhat had added a critical security patch to a module
without pushing the change upstream, you might get to be the sharp-eyed
consumer who caught them out at it ;-)
--Eric
--
"I've often gotten the feeling that the only people who have learned
from computer assisted instruction are the authors."
--Ben Schneiderman
---------------------------------------------------
http://scratchcomputing.com
---------------------------------------------------
More information about the Pdx-pm-list
mailing list