On Mon, Sep 22, 2008 at 9:24 AM, Shlomi Fish <[EMAIL PROTECTED]> wrote: > Well, it does. However, hardly anyone pays any attention to CPANTS, and it's > out there in the background, and hardly influences the general perception of > the module.
As an aside, if the core Kwalitee metrics are sufficiently tight, I'd support seeing core Kwalitee on search.cpan.org. I think all the controversial stuff has moved to the optional metrics, now. >> * The CPAN Testers grades relate only to the ability to build/test a >> distribution. Unless world writable files prevent that, FAIL or >> UNKNOWN are not appropriate > > World-writable files are a security risk and the CPAN shell should refuse to > test the distribution if they exist. A security conscious admin won't install > such modules if they generate world-writable files. As such, one should not > proceed to the build/test stage and fail immediately. These are orthogonal problems. CPAN Testers is intended to determine whether a distributions tests pass. The project recently returned to the original definition of UNKNOWN to include build failures, meaning that FAIL is reserved only for failing tests. World-writable files are unrelated to the success of either building or testing. That doesn't mean that they aren't potentially important. However, I'm a little confused as to the nature of the security risk and the level of risk involved. If the risk is that someone might replace my Makefile.PL in the exact moment between untarring a distribution and running 'perl Makefile.PL' then I think that the overall threat level is pretty low. After all, any PL or test file can do anything it wants to your system -- this is why modules shouldn't be build or tested as a privileged user. And even if you skim the PL file, how often do you read every test file to make sure it doesn't call system("rm -rf /")? If the risk is that a world-writable file could be installed, it seems like most things in blib seem to be set read-only -- but I just noticed that some things are not (e.g. scripts & man pages). That seems like it might be a security bug in EU::MM or M::B and worth fixing. In any case, my point is that if there is a real security risk of a non-trivial magnitude, then we should fix it. If it isn't of significant magnitude, then I question whether anything needs to be done about it at all if the only impact is Mandriva users getting annoying warnings. In either case, I don't think CPAN Testers is the right project to notify authors about world-writable files. If you don't think CPANTS is too passive, it would be a fairly simply perl program to monitor CPAN uploads, pull down and extract the tarball, check for world-writable files and email the author. E.g. one could use POE::Component::SmokeBox::Uploads::RSS, LWP, Archive::Extract, Email::Simple and POE::Component::Client::SMTP and just add a bit of glue. It's actually a harder problem for CPAN Testers tools because of the need to tap into CPAN or CPANPLUS between the extraction and the initial call to 'perl Makefile.PL' or 'perl Build.PL', which they currently don't do. -- David