2008/11/13 Michael G Schwern <[EMAIL PROTECTED]>: > Jonathan Rockway wrote: >> * On Wed, Nov 12 2008, David Golden wrote: >>> On Wed, Nov 12, 2008 at 3:17 PM, demerphq <[EMAIL PROTECTED]> wrote: >>>> IMO if the toolchain is to work this should happen at PAUSE (if it can >>>> detect this problem IMO it should just damn well fix it itself) or at >>>> extraction. >>> It *is* being fixed at extraction. But it requires people to upgrade >>> CPAN and CPANPLUS (maybe Archive::Extract as well). It was a faster >>> fix to close the PAUSE indexing door than to get those fixes released. >> >> I agree with demerphq here, why can't PAUSE just fix this? It won't >> break signatures (since they sign file content, not file metadata), > > Maybe they should start signing the metadata then! > > >> and >> it won't break the CHECKSUMS file (since that could be generated after >> the tarball is fixed). >> >> It could be weird if what you upload to CPAN isn't what you >> download... but it fixes a security problem, and it doesn't require >> authors to know that this problem exists. Abstraction++ > > -100_000_000 > > I really, really, really don't want PAUSE modifying my stuff after it's > uploaded. Oh god the mysterious bugs. And then there's the fact that the > code I've put my name and signature on is not the same code as is being > distributed! That's a trust violation as well as maybe a license violation.
Oh please, save me the drama. We aren't talking about modifying "your stuff" we are talking about twiddling some bits in a tar file. Bits in a tar file mind you that mean nothing to the system that the tar file was created on. And if you really do want to be picky about this, then it could be voluntary as was already suggested. Then when PAUSE bounces my package it can say "We've rejected your package for blah blah blah, but we can fix it for you if you visit this [link], or if you reupload a new package with SPECIALFLAG set in the FNORBLE file." > This security check has sent CPAN on the slippery slope of security. Until > now CPAN has been a common carrier. Pretty much anything was allowed, stuff > was only rejected for extreme reasons and always on a case-by-case basis and > always by human judgment. Now we've put in an automatic filter to reject some > vaguely insecure code. CPAN is no longer a common carrier. Once that line > has been crossed, all sorts of attempts will be made to add more filtering, > such as the suggestion above. > > They will be well intentioned and they will add complications and generate > false negatives and get in people's way and continue to erode CPAN's policy of > being a common carrier. > > Now that the CPAN shells and archiving modules are handling it at their end, I > think the PAUSE filter should be removed. It's not PAUSE's job to be the code > police. I agree with this. However we are where we are, and PAUSE fixing the package in a way that doesn't require windows users to get annoyed is a good solution. -- perl -Mre=debug -e "/just|another|perl|hacker/"
