All the Perl that's Practical to Extract and Report

Smoking CPAN with CPANPLUS 0.033

pudge on 2002-05-01T09:08:24

autrijus writes "We just released CPANPLUS 0.033, with lots of testing-oriented features. Also, my new write-up perl.com talks about Becoming a CPAN Tester with CPANPLUS, which explains how to set up a machine to automatically test modules as they're uploaded. Volunteers wanted!" Most excellent. Anything that aids in testing gets a thumbs up in my book.

Word of warning

IlyaM on 2002-05-03T11:18:36

Interesting article but security aspect seems to be missing in it. Automated unattended testing is cool but it should be implemented very carefuly! It may be too dangerous to automatically download any uploaded module and run its test suite. Just because it is CPAN nobody can give guarantee that some day uploaded module will not have system("rm -rf /") in it. It may be caused by non-intentintial bug in module but still it is not fun to find important data to be lost because of it.

So couple of advices for those who want to implement automatic unatended testing of all uploaded CPAN modules:

  • Do not run cpansmoke as root.
  • Do not run cpansmoke under your account. Create dedicated user account just for running cpansmoke.
  • It is better to forbid network access for processes running under this dedicated user account. Some OSes support firewalls which can be confgured this way.
  • If you do not understand security implications of running arbitrary untrusted code on you computer it is better to avoid doing automatic unatented testing of all uploaded CPAN modules. Of course you still can do manual testing of selected modules with cpansmoke.

Re:Word of warning

autrijus on 2002-05-05T10:36:04

Thanks! This is very true. I should have mentioned that, although cpansmoke does not install anything to @INC, the Makefile.PL (and test scripts) open a wide door to trojan horses. Personally, I'd recommend to run this in a jail or a similiar environment.

I'm pondering a 'makeuser' config variable, which specifies the UID during the extract, make and test steps; only the actualy 'pure_install' target will be performed under the root account.

sudo make test

hanamaki on 2002-05-06T17:14:00

In his article Autrijus writes:

% sudo make test

Here I am a little confused, since IMHO make test should be done (and suceed) as non root user.

print "Just another active CPAN-TESTER";

Re:sudo make test

autrijus on 2002-05-07T01:38:42

This is true. However, please refer to the paragraph somewhere above that line:

If any dependent modules were selected in the previous step, then you will have to run make test as root, so it can fetch and install these modules automatically before testing itself.

Since the error could not occur without attempting to install such modules, I had to use sudo to make the story consistent.

I agree that this is somewhat confusing, though; suggestions welcome.