Re: [Module::Build] META.yml and platform dependencies.
On 4/13/06, Ken Williams [EMAIL PROTECTED] wrote: Hi Yves, This is a known shortcoming of CPAN's approach to dependency detection. There's no solution inside the META.yml itself, though in some distant future version we'd like to expand the little language that describes dependencies so it would indeed be capable of expressing platform-specific dependencies. In the meantime, I'm not sure what to suggest - if you omit the META.yml I assume CPAN would try another method, but I'm not sure. It's also possible that if you put dynamic_config = 1 in the META.yml it could try another method, but I'm certainly not sure about that either. :-/ Seems like if the META.yml creation occured on the installers machine instead of on the distributors machine the problem would go away, and allow inifinte flexibility. So for the time being it looks like I have to hand hack my MakeMaker or something. Hmm. Yves -- perl -Mre=debug -e /just|another|perl|hacker/
Re: [Module::Build] META.yml and platform dependencies.
On Apr 13, 2006, at 1:40 AM, demerphq wrote: Seems like if the META.yml creation occured on the installers machine instead of on the distributors machine the problem would go away, and allow inifinte flexibility. Heh, that scenario would remove the need for a META.yml completely, wouldn't it? Unfortunately, that doesn't solve the reason for META.yml's existence: to allow people to inspect module metadata without needing to execute untrusted code. Chris -- Chris Dolan, Software Developer, Clotho Advanced Media Inc. 608-294-7900, fax 294-7025, 1435 E Main St, Madison WI 53703 vCard: http://www.chrisdolan.net/ChrisDolan.vcf Clotho Advanced Media, Inc. - Creators of MediaLandscape Software (http://www.media-landscape.com/) and partners in the revolutionary Croquet project (http://www.opencroquet.org/)
Re: [Module::Build] META.yml and platform dependencies.
On 4/13/06, Chris Dolan [EMAIL PROTECTED] wrote: On Apr 13, 2006, at 1:40 AM, demerphq wrote: Seems like if the META.yml creation occured on the installers machine instead of on the distributors machine the problem would go away, and allow inifinte flexibility. Heh, that scenario would remove the need for a META.yml completely, wouldn't it? Depends what you consider the objective of having a META.yml If its to provide a clean abstraction layer for installation agents like CPAN to process then no. Unfortunately, that doesn't solve the reason for META.yml's existence: to allow people to inspect module metadata without needing to execute untrusted code. If the objective is to avoid the execution of untrusted code then no you would be right. But im not sure that that is the objective. Im not saying it isnt, but, it seems to me that a client like CPAN is going to execute the Makefile.PL or Build.PL regardless, so it doesnt seem to me like its a big win in terms of security. I mean, it seems to me the difference is purely one of whether the client executes the build script _before_ or _after_ reading the META.yml. Given that i see no change in the security profile. Yves -- perl -Mre=debug -e /just|another|perl|hacker/
Re: [Module::Build] META.yml and platform dependencies.
On Apr 13, 2006, at 1:40 AM, demerphq wrote: Seems like if the META.yml creation occured on the installers machine instead of on the distributors machine the problem would go away, and allow inifinte flexibility. So for the time being it looks like I have to hand hack my MakeMaker or something. Hmm. That won't work. CPAN is looking at the META.yml file before running *anything*, including your MakeMaker code. Also, there's already a file called _blib/prereqs that's written while running the Build.PL script, and will contain any dynamically specified prereqs. I did bring up this issue with Andreas when he was proposing the META.yml-reading behavior for CPAN, but he figured he's cross that bridge when we came to it. I think we've come to it? -Ken
