Michael G Schwern writes: > Smylers wrote: > > > you're talking about Cpan being something morally equivalent to a > > common carrier, rather than an actual common carrier in the legal > > sense? > > Yes, because we are not lawyers I don't even want to approach arguing > about the legal definition. But there is utility in the idea, as a > line. The idea that the carrier is not responsible for the content.
Makes sense. But I don't think rejecting certain uploads for > > The Debian manpage for GNU tar documents this option: > > > > --no-same-permissions > > apply umask to extracted files (the default for non-root > > users) > > > > So umask would be ignored for Andreas above because he un-tar-ed as root > > (and I'm guessing you tried it as you, thereby not triggering the > > behaviour). > > Yes, I don't even give myself root or su access to avoid accidentally > forgetting I'm logged in as root. Everything is through sudo. Me too. It just seems much saner all round. > > Requiring root privs for the last step of installation is common, so > > I guess it's fairly common for some people to do all the steps as > > root (however inadvisable that is). > > Well then those users are fucked another dozen ways. I've seen an alarming number of people do this, and generally get away with it. > I have lying around a prototype for the CPAN shell to warn the user > when they run it as root and offer to reconfigure itself to only su > for the install. That would help plug the hole. Yeah, that sounds good. But only for users running CPAN, not anybody who is manually un-tar-ing a distribution. I have no data for this, but I suspect those who do manual installs in this way are also more likely to do the whole thing as root, and less likely to be involved in the Perl community (such as knowing much about Cpan) -- and therefore most likely to get hurt by this, or to pick up a bad impression of Perl or its community as a result. Smylers
