2009/1/28 Michael G Schwern <[email protected]>:
> A while ago, Audrey suggested inverting the process. Rather than having a
> program that spits out meta-data, have meta-data which might contain programs.
>
> Why is this useful? If you have a program it can do anything, this is the
> basic Makefile.PL/Build.PL/configure security hole.
If you have data that contains a program, this is no different. The
only difference now is that the installer will be doing a Windows
Vista style popup thing, "Can I run this?", "Can I run that?" over and
over and over.
I note that we ALREADY have a mechanism for the META.yml to flag that
you don't need to run the Makefile.PL, so that in the simple cases you
avoid the need for execution.
> If you have meta-data that might run programs, you can be alerted before it
> does so. You can have policies about whether you want that code run. You can
> have defaults in case the code isn't run. You can absorb common bits of code
> into the meta-language so people don't need to write custom code for it any
> more. And the code snippets will be shorter and easier to eyeball for both
> security audits and debugging.
>
> For example...
>
> name: Foo-Bar
> version: from('lib/Foo/Bar.pm')
> abstract: from('lib/Foo/Bar.pm')
> authors:
> - Michael G Schwern <[email protected]>
> license: perl
> requires:
> everywhere:
> File::Spec: 0.8
> perl: 5.6.1
> os_is('Win32'):
> Win32::Thing: 1.23
> sub { -x "/usr/bin/mysql" }:
> DBD::mysql: 0
>
> And then we might absorb checks for binary programs into a which("mysql")
> meta-language function going forward. Or even something that probes the
> native package manager.
>
> Because this is still dynamic, it may spit out a METALocal.yml to record its
> decisions.
M:I already provides this kind of meta-language (and did so even
before the DSL stuff). Here's the equivalent in the ordinary M:I
"meta-language". It's smaller and simpler than your data meta-language
already.
use inc::Module::Install 0.77;
all_from 'lib/Foo/Bar.pm';
requires 'File::Spec' => '0.8';
requires 'Win32::Thing' if win32;
requires 'DBD::mysql' if -x "/usr/bin/mysql";
WriteAll;
