Re: [PATCH] ExtUtils::MakeMaker and world writable files in dists

[Michael G Schwern]

Aristotle Pagaltzis wrote:
> * Michael G Schwern <[EMAIL PROTECTED]> [2008-09-29 16:35]:
>> Aristotle Pagaltzis wrote:
>>> * Michael G Schwern <[EMAIL PROTECTED]> [2008-09-29 14:50]:
 MakeMaker can set a minimum umask if it wants to play
 security nanny
>>> On Windows?
>> Windows, as always, is a "special" case. If a work around is
>> necessary for Windows that's fine.
> 
> Err, the *only* point of this patch is Windows. The idea was to
> relieve Windows users from having to hack their tar before they
> can use EU::MM to bake distros that the CPAN indexer will not
> reject.
> 
> If you propose a “better solution” that doesn’t work on Windows
> then it might be “better” but it fails to be a “solution.”

Allow me to clarify.  I'm fine with putting in code to help Windows users deal
with the world writable issue, that's the work around I was referring to.
This is in contrast to adding in code to strip out the world-writable flag on
Unix, which has perfectly fine facilities to deal with that across the board.

I've kind of lost track of what's being proposed by whom.


-- 
Life is like a sewer - what you get out of it depends on what you put into it.
- Tom Lehrer

Re: [PATCH] ExtUtils::MakeMaker and world writable files in dists

[Aristotle Pagaltzis]

* Michael G Schwern <[EMAIL PROTECTED]> [2008-09-29 16:35]:
> Aristotle Pagaltzis wrote:
> > * Michael G Schwern <[EMAIL PROTECTED]> [2008-09-29 14:50]:
> >> MakeMaker can set a minimum umask if it wants to play
> >> security nanny
> > 
> > On Windows?
> 
> Windows, as always, is a "special" case. If a work around is
> necessary for Windows that's fine.

Err, the *only* point of this patch is Windows. The idea was to
relieve Windows users from having to hack their tar before they
can use EU::MM to bake distros that the CPAN indexer will not
reject.

If you propose a “better solution” that doesn’t work on Windows
then it might be “better” but it fails to be a “solution.”

Regards,
-- 
Aristotle Pagaltzis // 

Re: [RFC] Dealing with World-writable Files in the Archive of CPAN Distributions

[Andreas J. Koenig]

> On Tue, 23 Sep 2008 11:40:09 +0200, "Jos I. Boumans" <[EMAIL PROTECTED]> 
> said:

 >> And so I have implemented it now. If it breaks too much in too short
 >> time, we could probably revert it, but first I'd like to see how bad
 >> we really do.

  > I agree to this (first) solution; this will give us a good idea about
  > the
  > scope of the problem.

I have watched the indexer for a week now. The scope is more than two
uploads per day. These uploads got an email about world writable files
or directories. I looked up their CPAN directories right now and based
on the findings I have added the third column.

23-Sep  SEMUELF/Data-ParseBinary-0.07.tar.gzfixed
26-Sep  GFUJI/warnings-unused-0.02.tar.gz   not fixed
26-Sep  STEFFENW/DBD-PO-0.10.tar.gz not fixed
26-Sep  STEFFENW/Bundle-DBD-PO-0.10.tar.gz  not fixed
26-Sep  AJDIXON/daemonise-1.0.tar.gznot fixed
26-Sep  RPHANEY/openStatisticalServices-0.015.tar.gzfixed
26-Sep  RPHANEY/openStatisticalServices-0.018.tar.gzfixed
27-Sep  COSIMO/Imager-SkinDetector-0.01.tar.gz  fixed
27-Sep  FAYLAND/Pod-From-GoogleWiki-0.06.tar.gz fixed
28-Sep  DANNY/Rose-DBx-Object-Renderer-0.34.tar.gz  not fixed
28-Sep  MTHURN/WWW-Search-Ebay-2.244.tar.gz fixed
28-Sep  JSTROM/Tk-TextVi-0.014.tar.gz   not fixed
28-Sep  JSTROM/Tk-TextVi-0.0141.tar.gz  not fixed
29-Sep  MATTN/Net-Kotonoha-0.07.tar.gz  fixed
29-Sep  MTHURN/WWW-Search-Ebay-Europe-2.002.tar.gz  fixed
29-Sep  ANGERSTEI/Net-Ping-Network-1.57.tar.gz  not fixed
29-Sep  RPHANEY/openStatisticalServices-0.019.tar.gzfixed

Congratulations to all authors who managed to fix their distros.
I *you* are among them, please spread the word how you did it.

I expect that the third column is already wrong when you read this.

Good night,
-- 
andreas

Re: [PATCH] ExtUtils::MakeMaker and world writable files in dists

[Michael G Schwern]

Aristotle Pagaltzis wrote:
> * Michael G Schwern <[EMAIL PROTECTED]> [2008-09-29 14:50]:
>> MakeMaker can set a minimum umask if it wants to play security
>> nanny
> 
> On Windows?

Windows, as always, is a "special" case.  If a work around is necessary for
Windows that's fine.


-- 
Hating the web since 1994.

Re: [PATCH] ExtUtils::MakeMaker and world writable files in dists

[David Cantrell]

On Sun, Sep 28, 2008 at 10:14:10PM +0200, Cosimo Streppone wrote:

> Could this work?

No, because --mode is a GNUism.  If you make that the default then it
will break for everyone who doesn't use GNU tar.

Having EU::MM try to use that flag when it's supported is a good idea
though.  Probably better, and easier, to just make it use Archive::Tar,
and patch that if necessary.

-- 
David Cantrell | Minister for Arbitrary Justice

Today's previously unreported paraphilia is tomorrow's Internet sensation

Re: [PATCH] ExtUtils::MakeMaker and world writable files in dists

[Aristotle Pagaltzis]

* Michael G Schwern <[EMAIL PROTECTED]> [2008-09-29 14:50]:
> MakeMaker can set a minimum umask if it wants to play security
> nanny

On Windows?

Regards,
-- 
Aristotle Pagaltzis // 

Re: [PATCH] ExtUtils::MakeMaker and world writable files in dists

[Michael G Schwern]

Aristotle Pagaltzis wrote:
> * Cosimo Streppone <[EMAIL PROTECTED]> [2008-09-29 02:10]:
>> but it seems that gnu tar doesn't like the following:
>>
>>   $ tar --mode=0755 cvf blah.tar somedir
>>   $ tar c --mode=0755 vf blah.tar somedir
>>
>> and will only accept:
>>
>>   $ tar cvf blah.tar --mode=0755 somedir
>>
>> Could this work?
> 
> GNU tar will, however, accept this:
> 
> tar cv --mode=0755 -f foo.tar bar/

MakeMaker can set a minimum umask if it wants to play security nanny,
side-stepping the "what flags do my programs take" game.


> Honestly, though, if you are using tar on Windows, I don’t know
> why you would want any other default. Patching EU::MM is the
> pragmatic approach, and we probably can’t avoid it, but I think
> it is the wrong place to fix this, still.

I would tend to agree.  Rather than papering over the root problem (no umask)
in each utility, I would rather people were educated to set their umask.


-- 
164. There is no such thing as a were-virgin.
-- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army
   http://skippyslist.com/list/

Re: Devel::CheckOS support for MirOS BSD

[Chris 'BinGOs' Williams]

On Mon, Sep 29, 2008 at 10:35:39AM +0100, David Cantrell wrote:
> Before I upload it to the CPAN, could I ask if someone using MirOS BSD
> could check that this release candidate detects it correctly?
> 
> http://www.cantrell.org.uk/david/private/Devel-CheckOS-1.44.tar.gz
> 
> It should detect it as:
>   MirOSBSD
>   Unix
>   OSFeatures::POSIXShellRedirection

Sorry, only just got around to checking this for you.

It does indeed report the above.

Many thanks,

-- 
Chris Williams
aka BinGOs
PGP ID 0x4658671F
http://www.gumbynet.org.uk
==


pgpwDTpPvUZbO.pgp
Description: PGP signature

Devel::CheckOS support for MirOS BSD

[David Cantrell]

Before I upload it to the CPAN, could I ask if someone using MirOS BSD
could check that this release candidate detects it correctly?

http://www.cantrell.org.uk/david/private/Devel-CheckOS-1.44.tar.gz

It should detect it as:
  MirOSBSD
  Unix
  OSFeatures::POSIXShellRedirection

-- 
David Cantrell | Nth greatest programmer in the world

Eye have a spelling chequer / It came with my pea sea
It planely marques four my revue / Miss Steaks eye kin knot sea.
Eye strike a quay and type a word / And weight for it to say
Weather eye am wrong oar write / It shows me strait a weigh.