Sat Nov 05 06:04:02 2011: Request 69560 was acted upon.
Transaction: Correspondence added by SMUELLER
       Queue: PAR-Packer
     Subject: PAR packed files are extracted to unsafe and predictable 
temporary directories
   Broken in: (no value)
    Severity: Critical
       Owner: Nobody
  Requestors: j...@nixnuts.net
      Status: open
 Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=69560 >


Presumably, one could at least have a build-time option for pp (not 
packaging time, but PAR::Packer compilation time) that enables some 
extra measures:

perl Makefile.PL --paranoid
make test && make install

a) assert ownership of all directories and files under $TMPDIR/par-$USER
b) assert that other can't write. (How portable would this be?)

Doing this by default would make the cached-startup slow enough to not 
warrant caching at all. That would make PAR::Packer useless for all but 
the most trivial scripts. Think about it. If any other executable would 
have to scan the entire perl source tree before starting, it'd be slower 
to boot than java.

Right now, the proper way to get entirely safe PAR'd executables is to 
set an alternate extraction/cache directory. See "man PAR::Environment".

Reply via email to