On Wed, Nov 12, 2008 at 3:17 PM, demerphq <[EMAIL PROTECTED]> wrote: > I rather strongly object to this change.
I totally understand -- but keep in mind that this was in response to someone flagging this as a potential (if highly unlikely) security hole, forwarding it to some security-watchdog site, etc. So the rapid response was "close the hole so no one can say CPAN creates a security risk". (Other than the usual, obvious one of running arbitrary code...) So it causes some pain, but in my view, it's in the interest of the Perl community to be seen as vigilant. > this silly test. What really gets me going tho is I WASNT TOLD THIS > ABOUT 1.51_01 or 1.51_02 or 1.51_03 or (do you detect a pattern here?) > 1.51_04 or 1.51_05, all of which i uploaded in the last few days in > the exact same way!!! That's kind of a loophole, since development versions aren't indexed. I think any upload that fails a security test should probably be rejected, whether development or full release. > IMO if the toolchain is to work this should happen at PAUSE (if it can > detect this problem IMO it should just damn well fix it itself) or at > extraction. It *is* being fixed at extraction. But it requires people to upgrade CPAN and CPANPLUS (maybe Archive::Extract as well). It was a faster fix to close the PAUSE indexing door than to get those fixes released. > Whats going to happen next, stuff rejected because they don't have > *nix line endings? Or *nix style shebangs? Or use perl-qa's preferred > indentation style or something? Hmmmm?! Maybe instead, at a minimum, every distribution should be run against Perl::Critic at severity level 4 and anything that doesn't pass should be rejected as well. ;-) (THAT'S A JOKE, PEOPLE!) > /grrrr Right there with you, except my "/grrr" was back when the "security alert" got sent off to the watchdogs while the discussion was still going on as to whether this was a significant risk in the first place. -- David