On Thursday 13 November 2008, Michael G Schwern wrote:
Andreas J. Koenig wrote:
On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern
[EMAIL PROTECTED] said:
Now that the CPAN shells and archiving modules are handling it at
their end, I think the PAUSE filter should be removed.
On Thu, Nov 13, 2008 at 3:39 AM, Shlomi Fish [EMAIL PROTECTED] wrote:
What I was expressing is that the CPAN shell can do the twiddling to strip
flags at the point of extraction, rather than PAUSE stopping it at the
gate. Archive::Tar already does this (see
On Thursday 13 November 2008, David Golden wrote:
On Thu, Nov 13, 2008 at 3:39 AM, Shlomi Fish [EMAIL PROTECTED] wrote:
What I was expressing is that the CPAN shell can do the twiddling to
strip flags at the point of extraction, rather than PAUSE stopping it at
the gate. Archive::Tar
On Wed, 12 Nov 2008 14:51:26 -0600, Jonathan Rockway [EMAIL PROTECTED]
said:
I agree with demerphq here, why can't PAUSE just fix this?
It didn't come up in the hasty discussion about this problem, it
didn't occur to me for a moment. And to nobody else. And the number of
victims seemed to
On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern [EMAIL PROTECTED]
said:
Now that the CPAN shells and archiving modules are handling it at their
end, I
think the PAUSE filter should be removed. It's not PAUSE's job to be the
code
police.
It is 'tar xzf CPANFILE.tar.gz' which
On Thu, 13 Nov 2008 05:12:33 +0100, Andreas J. Koenig
[EMAIL PROTECTED] wrote:
On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern
[EMAIL PROTECTED] said:
Now that the CPAN shells and archiving modules are handling it at
their end, I
think the PAUSE filter should be removed. It's
On Wed, 12 Nov 2008 20:44:45 -0800, Michael G Schwern [EMAIL PROTECTED]
said:
Andreas J. Koenig wrote:
On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern [EMAIL
PROTECTED] said:
Now that the CPAN shells and archiving modules are handling it at their
end, I
think the
On Thu, 13 Nov 2008, Michael G Schwern wrote:
This is why I want CPAN to return to its common carrier policy. Don't inspect
them, don't open them, don't reject them and especially don't try to fix them,
just leave the packages sealed.
CPAN (at least the indexing part of it) always poked
* Michael G Schwern [EMAIL PROTECTED] [2008-11-13 04:15]:
I really, really, really don't want PAUSE modifying my stuff
after it's uploaded. Oh god the mysterious bugs. And then
there's the fact that the code I've put my name and signature
on is not the same code as is being distributed!
Count
Michael G Schwern writes:
Andreas J. Koenig wrote:
# umask
002
# tar xzf
/home/ftp/pub/PAUSE/authors/id/Y/YV/YVES/ExtUtils-Install-1.51.tar.gz
# ls -la ExtUtils-Install-1.51
total 1104
-rwxrwxrwx 1 544 5131765 Mar 3 2008 Build.PL*
Your tar is not honoring umask.
Aristotle Pagaltzis writes:
* Michael G Schwern [EMAIL PROTECTED] [2008-11-13 04:15]:
I really, really, really don't want PAUSE modifying my stuff after
it's uploaded.
Count me in this camp.
That's my instinct as well.
I do think that PAUSE could fix this, but it *MUST* require
Michael G Schwern writes:
I use the term common carrier [1] because it has a very special
meaning.
[1] common carrier is a legal idea from common US/UK law. I don't
want to get into the legal mumbo jumbo because we're not lawyers, but
invoking the idea is useful and powerful.
OK, so
Smylers wrote:
[1] common carrier is a legal idea from common US/UK law. I don't
want to get into the legal mumbo jumbo because we're not lawyers, but
invoking the idea is useful and powerful.
OK, so you're talking about Cpan being something morally equivalent to a
common carrier, rather
Michael G Schwern writes:
Smylers wrote:
you're talking about Cpan being something morally equivalent to a
common carrier, rather than an actual common carrier in the legal
sense?
Yes, because we are not lawyers I don't even want to approach arguing
about the legal definition. But
Jan Dubois wrote:
On Thu, 13 Nov 2008, Michael G Schwern wrote:
This is why I want CPAN to return to its common carrier policy. Don't
inspect
them, don't open them, don't reject them and especially don't try to fix
them,
just leave the packages sealed.
CPAN (at least the indexing part
Smylers wrote:
I have lying around a prototype for the CPAN shell to warn the user
when they run it as root and offer to reconfigure itself to only su
for the install. That would help plug the hole.
Yeah, that sounds good.
But only for users running CPAN, not anybody who is manually
Michael G Schwern writes:
Smylers wrote:
I have lying around a prototype for the CPAN shell to warn the user
when they run it as root and offer to reconfigure itself to only su
for the install. That would help plug the hole.
Yeah, that sounds good.
But only for users
2008/10/1 Andreas J. Koenig [EMAIL PROTECTED]:
On Tue, 30 Sep 2008 17:11:00 -0500, Jonathan Rockway [EMAIL PROTECTED]
said:
Anyway, I think the average CPAN author doesn't
really know or care about that, sadly.
See also
FWIW, this is true. I have never thought about it.
On Wed, Nov 12, 2008 at 3:17 PM, demerphq [EMAIL PROTECTED] wrote:
I rather strongly object to this change.
I totally understand -- but keep in mind that this was in response to
someone flagging this as a potential (if highly unlikely) security
hole, forwarding it to some security-watchdog site,
* On Wed, Nov 12 2008, David Golden wrote:
On Wed, Nov 12, 2008 at 3:17 PM, demerphq [EMAIL PROTECTED] wrote:
IMO if the toolchain is to work this should happen at PAUSE (if it can
detect this problem IMO it should just damn well fix it itself) or at
extraction.
It *is* being fixed at
2008/11/12 David Golden [EMAIL PROTECTED]:
On Wed, Nov 12, 2008 at 3:17 PM, demerphq [EMAIL PROTECTED] wrote:
I rather strongly object to this change.
I totally understand -- but keep in mind that this was in response to
someone flagging this as a potential (if highly unlikely) security
Jonathan Rockway wrote:
* On Wed, Nov 12 2008, David Golden wrote:
On Wed, Nov 12, 2008 at 3:17 PM, demerphq [EMAIL PROTECTED] wrote:
IMO if the toolchain is to work this should happen at PAUSE (if it can
detect this problem IMO it should just damn well fix it itself) or at
extraction.
It
David Golden wrote:
On Wed, Nov 12, 2008 at 3:17 PM, demerphq [EMAIL PROTECTED] wrote:
I rather strongly object to this change.
I totally understand -- but keep in mind that this was in response to
someone flagging this as a potential (if highly unlikely) security
hole, forwarding it to
Andreas J. Koenig wrote:
On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern [EMAIL
PROTECTED] said:
Now that the CPAN shells and archiving modules are handling it at their
end, I
think the PAUSE filter should be removed. It's not PAUSE's job to be the
code
police.
It is
2008/11/13 Michael G Schwern [EMAIL PROTECTED]:
Jonathan Rockway wrote:
* On Wed, Nov 12 2008, David Golden wrote:
On Wed, Nov 12, 2008 at 3:17 PM, demerphq [EMAIL PROTECTED] wrote:
IMO if the toolchain is to work this should happen at PAUSE (if it can
detect this problem IMO it should just
On Wednesday 12 November 2008 22:36:31 demerphq wrote:
I really, really, really don't want PAUSE modifying my stuff after it's
uploaded. Oh god the mysterious bugs. And then there's the fact that
the code I've put my name and signature on is not the same code as is
being distributed!
2008/11/13 chromatic [EMAIL PROTECTED]:
On Wednesday 12 November 2008 22:36:31 demerphq wrote:
I really, really, really don't want PAUSE modifying my stuff after it's
uploaded. Oh god the mysterious bugs. And then there's the fact that
the code I've put my name and signature on is not
* On Sun, Sep 28 2008, Cosimo Streppone wrote:
Hi!
I don't know if I really understand the entire
world-writable files security hole.
Anyway, I think the average CPAN author doesn't
really know or care about that, sadly.
See also
FWIW, this is true. I have never thought about it.
Aristotle Pagaltzis wrote:
* Cosimo Streppone [EMAIL PROTECTED] [2008-09-29 02:10]:
but it seems that gnu tar doesn't like the following:
$ tar --mode=0755 cvf blah.tar somedir
$ tar c --mode=0755 vf blah.tar somedir
and will only accept:
$ tar cvf blah.tar --mode=0755 somedir
* Michael G Schwern [EMAIL PROTECTED] [2008-09-29 14:50]:
MakeMaker can set a minimum umask if it wants to play security
nanny
On Windows?
Regards,
--
Aristotle Pagaltzis // http://plasmasturm.org/
On Sun, Sep 28, 2008 at 10:14:10PM +0200, Cosimo Streppone wrote:
Could this work?
No, because --mode is a GNUism. If you make that the default then it
will break for everyone who doesn't use GNU tar.
Having EU::MM try to use that flag when it's supported is a good idea
though. Probably
Aristotle Pagaltzis wrote:
* Michael G Schwern [EMAIL PROTECTED] [2008-09-29 14:50]:
MakeMaker can set a minimum umask if it wants to play security
nanny
On Windows?
Windows, as always, is a special case. If a work around is necessary for
Windows that's fine.
--
Hating the web since
* Michael G Schwern [EMAIL PROTECTED] [2008-09-29 16:35]:
Aristotle Pagaltzis wrote:
* Michael G Schwern [EMAIL PROTECTED] [2008-09-29 14:50]:
MakeMaker can set a minimum umask if it wants to play
security nanny
On Windows?
Windows, as always, is a special case. If a work around is
Aristotle Pagaltzis wrote:
* Michael G Schwern [EMAIL PROTECTED] [2008-09-29 16:35]:
Aristotle Pagaltzis wrote:
* Michael G Schwern [EMAIL PROTECTED] [2008-09-29 14:50]:
MakeMaker can set a minimum umask if it wants to play
security nanny
On Windows?
Windows, as always, is a special case.
Hi!
I don't know if I really understand the entire
world-writable files security hole.
Anyway, I think the average CPAN author doesn't
really know or care about that, sadly.
See also:
http://use.perl.org/~cosimo/journal/37554
I'd really prefer not having to change my tar
command on every
* Cosimo Streppone [EMAIL PROTECTED] [2008-09-29 02:10]:
but it seems that gnu tar doesn't like the following:
$ tar --mode=0755 cvf blah.tar somedir
$ tar c --mode=0755 vf blah.tar somedir
and will only accept:
$ tar cvf blah.tar --mode=0755 somedir
Could this work?
GNU tar will,
36 matches
Mail list logo
