develooper Front page | perl.perl5.porters | Postings from December 2004

Re: [ANNOUNCE] ExtUtils::MakeMaker 6.25_06

Thread Previous | Thread Next
From:
Michael G Schwern
Date:
December 29, 2004 19:33
Subject:
Re: [ANNOUNCE] ExtUtils::MakeMaker 6.25_06
Message ID:
20041230033301.GA883@windhund.schwern.org
On Wed, Dec 29, 2004 at 01:49:40PM -0500, PPrymmer@factset.com wrote:
> shar on unix was an old time sh(ell) ar(chive) file shareing format that
> turned a binary into a self extracting shell script.

Its also hideously insecure.  You're running a shell script that could do
anything.  A problem with any self-extracting archive.

From shar(1).

SECURITY CONSIDERATIONS
     It is easy to insert trojan horses into shar files.  It is strongly rec-
     ommended that all shell archive files be examined before running them
     through sh(1).  Archives produced using this implementation of shar may
     be easily examined with the command:

           egrep -v '^[X#]' shar.file


> While I doubt that:
> 
>    make shdist
> 
> or:
> 
>    mmk shdist
> 
> is often used nowadays to prepare somehting for upload to CPAN, I suspect
> that
> removing it might adversely affect folks that have to email perl module
> distributions along 7 bit email relays

For those that need that there is uutardist.  Or if they really need it
they can just uuencode or base64 encode the tarball themselves.  Or let 
their MTA do it as is the current practice.

I'd throw shdist out if I didn't think it would be more trouble than its
worth.  I hope nobody's using it.


-- 
Michael G Schwern     schwern@pobox.com     http://www.pobox.com/~schwern/
It's Highball time!

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About