On 04-Dec-17 13:34, James E Keenan wrote: > On 12/04/2017 09:08 AM, Nigel Horne wrote: >> I received a bunch of these today. It may be blacklisting doit - in >> case it's doing it to something you really don't want it to >> >> >> gateway.bandsman.co.uk : Dec 4 08:17:02 : njh : a password is >> required ; TTY=pts/0 ; PWD=/home/njh/.cpan/build/Doit-0.022-21 ; >> USER=root ; COMMAND=/bin/true >> >> -Nigel > > Have CPAN testers or, perhaps, the Perl Toolchain Gang, ever published > a list of badly behaved distributions? > > I have been compiling my own list of distros that are either dangerous > (as Doit now appears to be), badly behaved (defaulting to invasive > tests; rigged to require a response to a command prompt), defectively > packaged (won't untar properly), or inappropriate for a given OS. > > That list has been built up through painful experience. I think it > would be beneficial to be able to share such a list with others and > others' lists with mine. Something perhaps less official than an > official CPAN distro, but something to which trusted people could > contribute. > > Thoughts? > > Thank you very much. > Jim Keenan I have no stake in Doit - but I did look at the documentation, and it provides a documented "sudo" function.
I might not wish to run it - but how dangerous it is depends on what user the test sudo's to. E.g., sudo to NOBODY (the NFS "world" account on many distributions) or the user running the test wouldn't upset me greatly - but 'root' certainly would. From your description, the test doesn't understand that a password may be required to sudo. Or that the installer may not have sudo privs - but the other methods (not requiring privs) are available. In any case, various OS privileges (e.g. execute as sudo (and to which users); files owned by root; setuid files; etc) probably ought to be represented as dependencies - in which case test environments could decide whether to allow them, and ordinary users could know if a module is installable/usable by them. You might want to take that up with the meta spec folks. The other items you've listed for "badly behaved" distributions seem to be bugs that should be reported to & fixed by the distributions. I can see why you might like a blacklist while waiting for a fix - but I'd hesitate to make it seem like an official escape clause for these behaviors.
signature.asc
Description: OpenPGP digital signature
