develooper Front page | perl.module-authors | Postings from November 2005

Re: When CPAN shell cannot find a module

Thread Previous | Thread Next
Randy Kobes
November 21, 2005 14:44
Re: When CPAN shell cannot find a module
Message ID:
On Mon, 21 Nov 2005, Christopher Hicks wrote:

> On Mon, 21 Nov 2005, Chris Dolan wrote:
>> If CPAN made it easy to install unintended software by mistake, that would 
>> be a huge security hole.  Some people run cpan as root. Defensive 
>> programming is absolutely the right thing here.
> And how exactly would a shortcut that says "oh you asked for something that 
> isn't really a module name, would you like us to install THIS package which 
> contains CERTAIN modules anyway?" cause security issues?  I run the cpan 
> shell as root all the time.  Its a pain to have to remember the CPAN 
> caniptions every time I'm setting up a new random server and the less often 
> you deal with it the more likely you will have forgotten it all. This is 
> exactly the context where the sort of shortcut that Perl is known for should 
> be eximplified but its not.  It may be the individual's first exposure to the 
> Perl world.  Let's not make it suck because of weak fears.
> PathTools and Template Toolkit are both examples where the thing to type into 
> CPAN isn't clear to the newbie sysadmins.  If we had a list of things like 
> that for the important modules that have such strangeness then there should 
> be any security problem in doing this without prompting since those mappings 
> would be official and Known To Be OK.  If I say
> 	install TemplateToolkit
> or
> 	install Template::Toolkit
> having that map to
> 	install Template
> without too much fuss is not only harmless and significantly helpful it might 
> even be a security benefit since I won't accidentally install three other 
> templating things in the meantime hoping to find the right one.  The amount 
> of time saved for sysadmins all over the world without causing anyone one 
> iota of actual harm is awe-inspiring.
> So, am I really missing something here?  Is there really some chance for a 
> harmful mistake being made that can't be trivially mitigated with solutions 
> like I mentioned above?

Andreas can correct me if I'm wrong, but I don't think
PAUSE puts any restrictions on the base name of the
distribution that appears in the PAUSE indices that uses. This opens up a couple of scenarios that could 
potentially arise that would make the behaviour you
propose either harmful or more complicated:

- Someone registers a module "MyModule" that coincides
with the base name of a distribution of another author.
Then "install MyModule" within the shell would
be ambiguous - do you mean the module or the distribution?
A different command other than "install" would have to
be used for installing distributions.

- Two authors happen to have a distribution with the
same base name, containing different sets of modules.
Then, "install_distribtion DistName" would be
ambiguous which would require user input to resolve.

In both cases an added layer of complexity would be
involved so as would install the right thing.
This doesn't seem any easier (and, in fact, seems
more prone to error) than the current
    cpan> install KWILLIAMS/PathTools-3.14.tar.gz
or, as Andreas mentioned, using to get a list
of recommended modules to update.

best regards,
randy kobes

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About