On Mon, Sep 22, 2008 at 9:24 AM, Shlomi Fish <[EMAIL PROTECTED]> wrote:
> Well, it does. However, hardly anyone pays any attention to CPANTS, and it's
> out there in the background, and hardly influences the general perception of
> the module.
As an aside, if the core Kwalitee metrics are sufficiently tight, I'd
support seeing core Kwalitee on search.cpan.org. I think all the
controversial stuff has moved to the optional metrics, now.
>> * The CPAN Testers grades relate only to the ability to build/test a
>> distribution. Unless world writable files prevent that, FAIL or
>> UNKNOWN are not appropriate
>
> World-writable files are a security risk and the CPAN shell should refuse to
> test the distribution if they exist. A security conscious admin won't install
> such modules if they generate world-writable files. As such, one should not
> proceed to the build/test stage and fail immediately.
These are orthogonal problems. CPAN Testers is intended to determine
whether a distributions tests pass. The project recently returned to
the original definition of UNKNOWN to include build failures, meaning
that FAIL is reserved only for failing tests. World-writable files
are unrelated to the success of either building or testing.
That doesn't mean that they aren't potentially important.
However, I'm a little confused as to the nature of the security risk
and the level of risk involved. If the risk is that someone might
replace my Makefile.PL in the exact moment between untarring a
distribution and running 'perl Makefile.PL' then I think that the
overall threat level is pretty low. After all, any PL or test file
can do anything it wants to your system -- this is why modules
shouldn't be build or tested as a privileged user. And even if you
skim the PL file, how often do you read every test file to make sure
it doesn't call system("rm -rf /")?
If the risk is that a world-writable file could be installed, it seems
like most things in blib seem to be set read-only -- but I just
noticed that some things are not (e.g. scripts & man pages). That
seems like it might be a security bug in EU::MM or M::B and worth
fixing.
In any case, my point is that if there is a real security risk of a
non-trivial magnitude, then we should fix it. If it isn't of
significant magnitude, then I question whether anything needs to be
done about it at all if the only impact is Mandriva users getting
annoying warnings.
In either case, I don't think CPAN Testers is the right project to
notify authors about world-writable files. If you don't think CPANTS
is too passive, it would be a fairly simply perl program to monitor
CPAN uploads, pull down and extract the tarball, check for
world-writable files and email the author.
E.g. one could use POE::Component::SmokeBox::Uploads::RSS, LWP,
Archive::Extract, Email::Simple and POE::Component::Client::SMTP and
just add a bit of glue.
It's actually a harder problem for CPAN Testers tools because of the
need to tap into CPAN or CPANPLUS between the extraction and the
initial call to 'perl Makefile.PL' or 'perl Build.PL', which they
currently don't do.
-- David
