From: Chas. Owens > On Mon, Mar 23, 2009 at 14:16, Amit Saxena <learn.tech...@gmail.com> wrote: >> Is it possible to implement this without using any external modules from >> CPAN ? > > The FAQ covers this quite nicely (see below). In general you should > use File::Tail[1]. And on UNIX systems, of course, you can always > cheat: > > There are generally five reasons for not wanting to install modules: > > 5. the target machine is totally locked down (i.e. you login > to rbash and have to provide code to a third party for > inclusion on the box) > > Of the five, only the fifth is truly difficult to work around, but it > is possible using the same techniques as the fourth with an added > argument to the third party that they are willing to install other > binary programs.
If I may, I would like to wrap this case in a real world context. We are a certified credit card processor, commonly known as a PCI-DSS(*) level 1 Service Provider. There are specific rules about what we can and can't do on the production servers, which periodically have to pass detailed audits in order to renew our certification. In addition, there are other audits (PA-DSS) required for credit card applications we distribute to be installed on clients' computers. First of all, as a developer I am not allowed any access to the production servers, either ours or the clients'. I may not log in to them in any form. The system admins work in another department and they are only allowed to install tested and certified packages. Once the servers have passed the initial audit and are certified, every modification or addition must pass through a specific sequence of checks. First, they must undergo a thorough code review. Second, they must be packaged in an approved format for automatic installation, currently the Red Hat RPM packaging. Then that package must be installed and tested on a separate QA system. Once the QA team has approved the update, it is placed in a repository where an administrator, either here or at a client site, can check it out and install it. There are a number of reasons for this Chinese Wall between development and production, but the biggest is accountability. If I can't directly access the production servers, there is little chance that I can fiddle with the data on those servers without someone else at least detecting the intent to fiddle. Since there is real money involved, the discovery of an intent to fiddle would at least cost me my job, and could put me in prison. These rules are in place to protect the credit card issuers and are very thoroughly enforced. They also provide some liability protection for my employer, although there are additional safeguards in place for that. In the past few years there have been some highly publicized breakdowns of these rules, resulting in more scrutiny and tighter enforcement for every one else in the industry. As a result, installing a new module on the production server is very expensive. It must go through our code review and QA testing as well as being repackaged in the correct format for deployment. It is difficult to justify this expense. It would require even more effort to justify installing directly from CPAN, since none of the modules there have been through our code review nor been examined by either our QA staff or the PCI auditors. So don't talk to me about working around the limitations. The auditors will almost certainly complain about that. Tell me how to install a new module within these rules? Bob McConnell (*) PCI-DSS: Payment Card Industry - Data Security Standards -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
