On Wed, Nov 12, 2008 at 3:17 PM, demerphq <[EMAIL PROTECTED]> wrote:
> I rather strongly object to this change.

I totally understand -- but keep in mind that this was in response to
someone flagging this as a potential (if highly unlikely) security
hole, forwarding it to some security-watchdog site, etc.  So the rapid
response was "close the hole so no one can say CPAN creates a security
risk".  (Other than the usual, obvious one of running arbitrary
code...)

So it causes some pain, but in my view, it's in the interest of the
Perl community to be seen as vigilant.

> this silly test. What really gets me going tho is I WASNT TOLD THIS
> ABOUT 1.51_01 or 1.51_02 or 1.51_03 or (do you detect a pattern here?)
> 1.51_04 or 1.51_05, all of which i uploaded in the last few days in
> the exact same way!!!

That's kind of a loophole, since development versions aren't indexed.
I think any upload that fails a security test should probably be
rejected, whether development or full release.

> IMO if the toolchain is to work this should happen at PAUSE (if it can
> detect this problem IMO it should just damn well fix it itself) or at
> extraction.

It *is* being fixed at extraction.  But it requires people to upgrade
CPAN and CPANPLUS (maybe Archive::Extract as well).  It was a faster
fix to close the PAUSE indexing door than to get those fixes released.

> Whats going to happen next, stuff rejected because they don't have
> *nix line endings? Or *nix style shebangs? Or use perl-qa's preferred
> indentation style or something? Hmmmm?!

Maybe instead, at a minimum, every distribution should be run against
Perl::Critic at severity level 4 and anything that doesn't pass should
be rejected as well.  ;-)

(THAT'S A JOKE, PEOPLE!)

> /grrrr

Right there with you, except my "/grrr" was back when the "security
alert" got sent off to the watchdogs while the discussion was still
going on as to whether this was a significant risk in the first place.

-- David

Reply via email to