On Apr 13, 2006, at 10:25 AM, Chris Dolan wrote:
On Apr 13, 2006, at 1:40 AM, demerphq wrote:
Seems like if the META.yml creation occured on the installers machine
instead of on the distributors machine the problem would go away, and
allow inifinte flexibility.
Heh, that scenario would remove the need for a META.yml completely,
wouldn't it?
Unfortunately, that doesn't solve the reason for META.yml's
existence: to allow people to inspect module metadata without
needing to execute untrusted code.
The reason for having the META.yml isn't really security, but more
convenience. Version numbers, author names, module names, abstracts,
etc. are spread out all over the tarball usually, but the META.yml
just puts them in one place.
It can be a security issue for the PAUSE site or search.cpan.org or
whatever, which might receive a poison tarball, but for the average
user they've opened themselves wide open anyway.
-Ken
