Michael G Schwern writes:
> Smylers wrote:
>
> > > I have lying around a prototype for the CPAN shell to warn the user
> > > when they run it as root and offer to reconfigure itself to only su
> > > for the install. That would help plug the hole.
> >
> > Yeah, that sounds good.
> >
> > But onl
Smylers wrote:
>> I have lying around a prototype for the CPAN shell to warn the user
>> when they run it as root and offer to reconfigure itself to only su
>> for the install. That would help plug the hole.
>
> Yeah, that sounds good.
>
> But only for users running CPAN, not anybody who is manu
Jan Dubois wrote:
> On Thu, 13 Nov 2008, Michael G Schwern wrote:
>> This is why I want CPAN to return to its common carrier policy. Don't
>> inspect
>> them, don't open them, don't reject them and especially don't try to fix
>> them,
>> just leave the packages sealed.
>
> CPAN (at least the in
Michael G Schwern writes:
> Smylers wrote:
>
> > you're talking about Cpan being something morally equivalent to a
> > common carrier, rather than an actual common carrier in the legal
> > sense?
>
> Yes, because we are not lawyers I don't even want to approach arguing
> about the legal definiti
Smylers wrote:
>> [1] "common carrier" is a legal idea from common US/UK law. I don't
>> > want to get into the legal mumbo jumbo because we're not lawyers, but
>> > invoking the idea is useful and powerful.
>
> OK, so you're talking about Cpan being something morally equivalent to a
> common car
Michael G Schwern writes:
> I use the term "common carrier" [1] because it has a very special
> meaning.
>
> [1] "common carrier" is a legal idea from common US/UK law. I don't
> want to get into the legal mumbo jumbo because we're not lawyers, but
> invoking the idea is useful and powerful.
OK,
Aristotle Pagaltzis writes:
> * Michael G Schwern <[EMAIL PROTECTED]> [2008-11-13 04:15]:
>
> > I really, really, really don't want PAUSE modifying my stuff after
> > it's uploaded.
>
> Count me in this camp.
That's my instinct as well.
> I do think that PAUSE could fix this, but it *MUST* req
Michael G Schwern writes:
> Andreas J. Koenig wrote:
>
> > # umask
> > 002
> > # tar xzf
> > /home/ftp/pub/PAUSE/authors/id/Y/YV/YVES/ExtUtils-Install-1.51.tar.gz
> > # ls -la ExtUtils-Install-1.51
> > total 1104
> > -rwxrwxrwx 1 544 5131765 Mar 3 2008 Build.PL*
>
> Your tar is no
* Michael G Schwern <[EMAIL PROTECTED]> [2008-11-13 04:15]:
> I really, really, really don't want PAUSE modifying my stuff
> after it's uploaded. Oh god the mysterious bugs. And then
> there's the fact that the code I've put my name and signature
> on is not the same code as is being distributed!
On Thu, 13 Nov 2008, Michael G Schwern wrote:
> This is why I want CPAN to return to its common carrier policy. Don't inspect
> them, don't open them, don't reject them and especially don't try to fix them,
> just leave the packages sealed.
CPAN (at least the indexing part of it) always poked ins
Andreas J. Koenig wrote:
> > Most systems already do this by default, because it's good security
> > practice. If you don't have a umask set, that's a basic
> > vulnerability *at the user's end*. No amount of hand-holding from
> > CPAN will protect the user without a umask. Some other system wi
demerphq wrote:
>> I really, really, really don't want PAUSE modifying my stuff after it's
>> uploaded. Oh god the mysterious bugs. And then there's the fact that the
>> code I've put my name and signature on is not the same code as is being
>> distributed! That's a trust violation as well as ma
> On Wed, 12 Nov 2008 20:44:45 -0800, Michael G Schwern <[EMAIL PROTECTED]>
> said:
> Andreas J. Koenig wrote:
>>> On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern <[EMAIL
>>> PROTECTED]> said:
>>
>> > Now that the CPAN shells and archiving modules are handling it at t
On Thu, 13 Nov 2008 05:12:33 +0100, Andreas J. Koenig
<[EMAIL PROTECTED]> wrote:
On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern
<[EMAIL PROTECTED]> said:
> Now that the CPAN shells and archiving modules are handling it at
their end, I
> think the PAUSE filter should be removed. It
> On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern <[EMAIL PROTECTED]>
> said:
> Now that the CPAN shells and archiving modules are handling it at their
end, I
> think the PAUSE filter should be removed. It's not PAUSE's job to be the
code
> police.
It is 'tar xzf CPANFILE.
> On Wed, 12 Nov 2008 14:51:26 -0600, Jonathan Rockway <[EMAIL PROTECTED]>
> said:
> I agree with demerphq here, why can't PAUSE just fix this?
It didn't come up in the hasty discussion about this problem, it
didn't occur to me for a moment. And to nobody else. And the number of
victim
On Thursday 13 November 2008, David Golden wrote:
> On Thu, Nov 13, 2008 at 3:39 AM, Shlomi Fish <[EMAIL PROTECTED]> wrote:
> >> What I was expressing is that the CPAN shell can do the twiddling to
> >> strip flags at the point of extraction, rather than PAUSE stopping it at
> >> the gate. Archive:
On Thu, Nov 13, 2008 at 3:39 AM, Shlomi Fish <[EMAIL PROTECTED]> wrote:
>> What I was expressing is that the CPAN shell can do the twiddling to strip
>> flags at the point of extraction, rather than PAUSE stopping it at the
>> gate. Archive::Tar already does this (see
>> $Archive::Tar::INSECURE_EXT
2008/9/30 Andreas J. Koenig <[EMAIL PROTECTED]>:
>> On Tue, 23 Sep 2008 11:40:09 +0200, "Jos I. Boumans" <[EMAIL PROTECTED]>
>> said:
>
> >> And so I have implemented it now. If it breaks too much in too short
> >> time, we could probably revert it, but first I'd like to see how bad
> >
On Thursday 13 November 2008, Michael G Schwern wrote:
> Andreas J. Koenig wrote:
> >> On Wed, 12 Nov 2008 19:13:40 -0800, Michael G Schwern
> >> <[EMAIL PROTECTED]> said:
> > >
> > > Now that the CPAN shells and archiving modules are handling it at
> > > their end, I think the PAUSE
20 matches
Mail list logo
