This was common knowledge among Perl devs. Every place I've worked that used CPAN did this. No one was pulling down random versions of random packages off the interwebs like a lunatic. I was amazed NPM didn't even have checksums a few short years ago. Every security incident or fiasco (remember unpublished packages??) I've simply nodded and said: yup. That was obviously going to happen.
Got to be honest I tended to use the distribution packages for Perl back in the day. That would have been Debian or FreeBSD ports back then. If the module was missing I would shrug it and make do. This cultural approach came from a place I work which was airgapped so we had a local package mirror server which was loaded from Debian CDs.
Also no distracting internet or Google and you had only the man pages to work off.
I really don’t like the culture of ”download any old shit off the internet, ram it in a container and throw it into production”. It keeps me awake. One day the whole thing will come crashing down and instantly spawn a costly magic enterprise solution which will cost a fortune just to mitigate that risk which doesn’t actually mitigate it all just allow the box to be ticked on a compliance form.
