On Thu, Jan 19, 2017 at 12:23 AM, Olivier Mengué <olivier.men...@gmail.com>
wrote:
> When I started to seriously code in Perl 10 years ago (going besides
> scripts to modules and CPAN distributions) I immediately thought: "Having
> '.' in @INC doesn't seem a good idea. It could be exploited in a similar
> way as having '.' in $ENV{PATH}". But Perl was already 20 years old, CPAN
> 10 years old and I thought it was already too late for a fix. So I have
> started to write test suite code assuming the tests were run from the root
> of the distribution and that the root of the distribution was in @INC. So I
> wrote many tests modules in a directory t/lib and teir package names start
> with "t::lib::" so I can just "use t::lib::TestModule". And I'm not alone
> using that style: http://grep.cpan.me/?q=t%3A%3Alib%3A%3A
>
Tests are the easiest part to fix. If all test runners set it, you're done.
Remaining question is how exactly to do that. For example, what should
prove default to? (it should also allow the other one IMO).
I would propose that we fix this first, and then see what isn't working.
Module::install is obvious, but there's value in knowing what more will
break.
- If the CPAN clients and the modules installer will get
> PERL_USE_UNSAFE_INC=1 built-in, I don't see how I will be able build an
> environment to test my CPAN distributions that doesn't have . in @INC at
> all. So it seems that in the name of preserving backwards compatibility you
> are stopping the move towards your long term goal. Or did I miss something?
>
I think the solution there is to never override it if it is already set, so
that an explicit PERL_USE_UNSAFE_INC=0 will DWIM.
> - If the testsuite runs with PERL_USE_UNSAFE_INC=1, but once installed the
> runtime environment is not the same, issues with @INC will just be hidden
> in the test run to be discovered at runtime. Adding "use lib '.';" at the
> top of each test script will hide issues in the same way. So what's the
> point of running the testsuite if it can't show issues?
>
I don't see how that would happen in practice.
> But I have another proposal. Instead of modifying CPAN clients, builders
> and App::Prove to inject '.' into @INC, what about instead injecting in
> @INC the *absolute path of the root of the distribution* being
> configured/built/tested/installed? I think that this would considerably
> reduce the number of side effects and it would help to really isolate
> runtime code that relies on '.' being in @INC (assuming that code is
> covered by a testsuite).
>
Currently there simply isn't any way of injecting in the right place, short
of terrible PERL5OPT hackery that I don't want to think about too much.
Leon
