On Monday 22 September 2008, David Golden wrote:
> On Mon, Sep 22, 2008 at 8:40 AM, Shlomi Fish <[EMAIL PROTECTED]> wrote:
> > My suggestion for resolving this is to modify the smoking modules so,
> > after the archive is unpacked (with a proper umask and arguments to tar),
> > they will traverse the directory tree and look for any world-writable
> > files. If any are found, they will report the smoking of the module as
> > "FAIL", and delete the unpacked directory tree, without doing the "perl
> > Makefile.PL/Build.PL ..." dance.
>
> This isn't just a smoking problem, right? A normal CPAN/CPANPLUS
> install would trigger the same warning?
>
Yes, it would.
> > We could give an option for doing this, if it bothers you. But I'm tired
> > of finding these files in the msec report and reporting them manually.
> >
> > Now I volunteer to implement this.
>
> I think that CPANTS is probably the better place for this kind of
> analysis, particularly because it's static and because the reason for
> the Kwalitee point is clear. It sounds like exactly the kind of thing
> that fits among the core Kwalitee metrics.
Well, it does. However, hardly anyone pays any attention to CPANTS, and it's
out there in the background, and hardly influences the general perception of
the module.
>
> There are some reasons I think that CPAN Testers is *not* the right
> place for this:
>
> * The CPAN Testers grades relate only to the ability to build/test a
> distribution. Unless world writable files prevent that, FAIL or
> UNKNOWN are not appropriate
World-writable files are a security risk and the CPAN shell should refuse to
test the distribution if they exist. A security conscious admin won't install
such modules if they generate world-writable files. As such, one should not
proceed to the build/test stage and fail immediately.
>
> * Someone would have to read the FAIL and pay attention to understand
> that the problem is a world-writable file (whereas it's obvious on
> CPANTS what the problem is)
Someone would have to read the FAIL report in any kind of failure. If we
report at the top that it was caused by world-writable files then people
would pay attention in case they didn't expect a failure.
>
> * CPAN::Testers is no longer notifying authors directly anyway
>
Actually, they do. I receive "CPAN Testers Daily Report"s in email every day,
and am also subscribed to the RSS feed. I pay much less attention to the
CPANTS.
Regards,
Shlomi Fish
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
What does "Zionism" mean? - http://xrl.us/bjn8u
Shlomi, so what are you working on? Working on a new wiki about unit testing
fortunes in freecell? -- Ran Eilam
