Jonathan Rockway wrote:
> * On Wed, Nov 12 2008, David Golden wrote:
>> On Wed, Nov 12, 2008 at 3:17 PM, demerphq <[EMAIL PROTECTED]> wrote:
>>> IMO if the toolchain is to work this should happen at PAUSE (if it can
>>> detect this problem IMO it should just damn well fix it itself) or at
>>> extraction.
>> It *is* being fixed at extraction. But it requires people to upgrade
>> CPAN and CPANPLUS (maybe Archive::Extract as well). It was a faster
>> fix to close the PAUSE indexing door than to get those fixes released.
>
> I agree with demerphq here, why can't PAUSE just fix this? It won't
> break signatures (since they sign file content, not file metadata),
Maybe they should start signing the metadata then!
> and
> it won't break the CHECKSUMS file (since that could be generated after
> the tarball is fixed).
>
> It could be weird if what you upload to CPAN isn't what you
> download... but it fixes a security problem, and it doesn't require
> authors to know that this problem exists. Abstraction++
-100_000_000
I really, really, really don't want PAUSE modifying my stuff after it's
uploaded. Oh god the mysterious bugs. And then there's the fact that the
code I've put my name and signature on is not the same code as is being
distributed! That's a trust violation as well as maybe a license violation.
This security check has sent CPAN on the slippery slope of security. Until
now CPAN has been a common carrier. Pretty much anything was allowed, stuff
was only rejected for extreme reasons and always on a case-by-case basis and
always by human judgment. Now we've put in an automatic filter to reject some
vaguely insecure code. CPAN is no longer a common carrier. Once that line
has been crossed, all sorts of attempts will be made to add more filtering,
such as the suggestion above.
They will be well intentioned and they will add complications and generate
false negatives and get in people's way and continue to erode CPAN's policy of
being a common carrier.
Now that the CPAN shells and archiving modules are handling it at their end, I
think the PAUSE filter should be removed. It's not PAUSE's job to be the code
police.
--
Reality is that which, when you stop believing in it, doesn't go away.
-- Phillip K. Dick
