Re: Is there a possibly required?

Tue, 27 Jan 2009 16:58:54 -0800 

2009/1/28 Michael G Schwern <schw...@pobox.com>:
> A while ago, Audrey suggested inverting the process.  Rather than having a
> program that spits out meta-data, have meta-data which might contain programs.
>
> Why is this useful?  If you have a program it can do anything, this is the
> basic Makefile.PL/Build.PL/configure security hole.

If you have data that contains a program, this is no different. The
only difference now is that the installer will be doing a Windows
Vista style popup thing, "Can I run this?", "Can I run that?" over and
over and over.

I note that we ALREADY have a mechanism for the META.yml to flag that
you don't need to run the Makefile.PL, so that in the simple cases you
avoid the need for execution.

> If you have meta-data that might run programs, you can be alerted before it
> does so.  You can have policies about whether you want that code run.  You can
> have defaults in case the code isn't run.  You can absorb common bits of code
> into the meta-language so people don't need to write custom code for it any
> more.  And the code snippets will be shorter and easier to eyeball for both
> security audits and debugging.
>
> For example...
>
> name:           Foo-Bar
> version:        from('lib/Foo/Bar.pm')
> abstract:       from('lib/Foo/Bar.pm')
> authors:
>        - Michael G Schwern <schw...@pobox.com>
> license:        perl
> requires:
>        everywhere:
>                File::Spec:     0.8
>                perl:           5.6.1
>        os_is('Win32'):
>                Win32::Thing:   1.23
>        sub { -x "/usr/bin/mysql" }:
>                DBD::mysql:     0
>
> And then we might absorb checks for binary programs into a which("mysql")
> meta-language function going forward.  Or even something that probes the
> native package manager.
>
> Because this is still dynamic, it may spit out a METALocal.yml to record its
> decisions.

M:I already provides this kind of meta-language (and did so even
before the DSL stuff). Here's the equivalent in the ordinary M:I
"meta-language". It's smaller and simpler than your data meta-language
already.

use inc::Module::Install 0.77;

all_from 'lib/Foo/Bar.pm';
requires 'File::Spec' => '0.8';
requires 'Win32::Thing' if win32;
requires 'DBD::mysql' if -x "/usr/bin/mysql";

WriteAll;

Reply via email to