On 4/13/06, Chris Dolan <[EMAIL PROTECTED]> wrote: > On Apr 13, 2006, at 1:40 AM, demerphq wrote: > > > Seems like if the META.yml creation occured on the installers machine > > instead of on the distributors machine the problem would go away, and > > allow inifinte flexibility. > > Heh, that scenario would remove the need for a META.yml completely, > wouldn't it?
Depends what you consider the objective of having a META.yml If its to provide a clean abstraction layer for installation agents like CPAN to process then no. > Unfortunately, that doesn't solve the reason for META.yml's > existence: to allow people to inspect module metadata without needing > to execute untrusted code. If the objective is to avoid the execution of untrusted code then no you would be right. But im not sure that that is the objective. Im not saying it isnt, but, it seems to me that a client like CPAN is going to execute the Makefile.PL or Build.PL regardless, so it doesnt seem to me like its a big win in terms of security. I mean, it seems to me the difference is purely one of whether the client executes the build script _before_ or _after_ reading the META.yml. Given that i see no change in the security profile. Yves -- perl -Mre=debug -e "/just|another|perl|hacker/"
