2008/11/12 David Golden <[EMAIL PROTECTED]>: > On Wed, Nov 12, 2008 at 3:17 PM, demerphq <[EMAIL PROTECTED]> wrote: >> I rather strongly object to this change. > > I totally understand -- but keep in mind that this was in response to > someone flagging this as a potential (if highly unlikely) security > hole, forwarding it to some security-watchdog site, etc. So the rapid > response was "close the hole so no one can say CPAN creates a security > risk". (Other than the usual, obvious one of running arbitrary > code...) > > So it causes some pain, but in my view, it's in the interest of the > Perl community to be seen as vigilant.
Ah well fair enough. Writing my rant was cathartic. :-) >> this silly test. What really gets me going tho is I WASNT TOLD THIS >> ABOUT 1.51_01 or 1.51_02 or 1.51_03 or (do you detect a pattern here?) >> 1.51_04 or 1.51_05, all of which i uploaded in the last few days in >> the exact same way!!! > > That's kind of a loophole, since development versions aren't indexed. > I think any upload that fails a security test should probably be > rejected, whether development or full release. Or at least the author should be notified about it. >> IMO if the toolchain is to work this should happen at PAUSE (if it can >> detect this problem IMO it should just damn well fix it itself) or at >> extraction. > > It *is* being fixed at extraction. But it requires people to upgrade > CPAN and CPANPLUS (maybe Archive::Extract as well). It was a faster > fix to close the PAUSE indexing door than to get those fixes released. Just curious whats wrong with PAUSE repacking the file with the required perms? >> Whats going to happen next, stuff rejected because they don't have >> *nix line endings? Or *nix style shebangs? Or use perl-qa's preferred >> indentation style or something? Hmmmm?! > > Maybe instead, at a minimum, every distribution should be run against > Perl::Critic at severity level 4 and anything that doesn't pass should > be rejected as well. ;-) > > (THAT'S A JOKE, PEOPLE!) > >> /grrrr > > Right there with you, except my "/grrr" was back when the "security > alert" got sent off to the watchdogs while the discussion was still > going on as to whether this was a significant risk in the first place. Ah, yes I can imagine that being worth a /grrr or two. -- perl -Mre=debug -e "/just|another|perl|hacker/"
