develooper Front page | perl.perl5.porters | Postings from August 2021

Re: Pre-RFC: Configure option for whether to include taint support

Thread Previous
From:
demerphq
Date:
August 13, 2021 18:23
Subject:
Re: Pre-RFC: Configure option for whether to include taint support
Message ID:
CANgJU+XT9=hK0NGc2RmmD_rdqH+APRS46PpWOB=sNyDTo0dD5g@mail.gmail.com
On Fri, 13 Aug 2021 at 03:53, Leon Timmermans <fawaka@gmail.com> wrote:

> On Fri, Aug 13, 2021 at 12:27 AM Leon Timmermans <fawaka@gmail.com> wrote:
>
>> On Fri, Aug 13, 2021 at 12:19 AM Neil Bowers <neilb@neilb.org> wrote:
>>
>>> Back in 2012, Steffen Mueller did some experimenting and found that
>>> taint adds somewhere between 10% and 20% runtime overhead:
>>> https://www.nntp.perl.org/group/perl.perl5.porters/2012/10/msg193822.html
>>> As you can see, there was some discussion at that time, but it didn’t
>>> seem to go anywhere. This has come up again as a result of the Quirks
>>> document, and we discussed it in last week’s PSC meeting.
>>>
>>> Anecdotally, very few people use taint (these days), yet we’re all
>>> paying the price. Furthermore, taint causes problems on Windows. For
>>> example, File::Spec is broken on Windows when used with Taint mode on,
>>> because Taint mode restricts use of environment variables (which doesn't
>>> protect anything). See also this reddit discussion[1], on the problems with
>>> taint.
>>>
>>> We’d like to consider adding a Configure option for disabling taint
>>> mode. We see this as a potential first step to having this disabled by
>>> default, and then possibly removing support for taint entirely.
>>>
>>> We’re interested in hearing thoughts on this.
>>>
>>> Neil
>>>
>>> [1]
>>> https://www.reddit.com/r/perl6/comments/718z4o/taint_mode_for_perl_6/dnmu83i/
>>>
>>
>> Using -DNO_TAINT_SUPPORT as Steffen mentioned you can already build such
>> a perl. All we really need to do is add a Configure option so that it can
>> easily be disabled and so that code (especially tests) can keep it into
>> account.
>>
>> One open question is if SILENT_NO_TAINT_SUPPORT should be enabled along
>> with it. I would argue it should, without it many tests will refuse to even
>> start running.
>>
>
> Probably most of the work is making the test suite use that %Config option
> to skip any tests depending on it.
>
>
I have a vague recollection we pushed some patches like this when Steffen
introduced the flag. We have been building our perls with this ever since.

cheers,
Yves


-- 
perl -Mre=debug -e "/just|another|perl|hacker/"

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About