All the Perl that's Practical to Extract and Report

PAUSE warning about world-writable files?

cosimo on 2008-09-27T19:41:26

Today I uploaded a proof-of-concept CPAN distribution I'm going to work on in the next weeks. It's called Imager-SkinDetector.

The PAUSE upload finished, and to my surprise, I received an indexer FAIL status. What? Why? The reason is that the distribution contains "world writable files".

Great. I'm probably the only one on Earth to not know, but... if you know some way to make them not writable on Windows, please tell me. Thanks!

Tar hacks

dagolden on 2008-09-27T21:12:01

This was a recent security hole fix for PAUSE/CPAN.

On Windows, someone on the module-authors list found that they needed to rename their "tar" binary to "gnutar" and then create a tar.bat file that had this single line

gnutar %* --owner=0 "--mode=0700"

Andreas suggested that mode should really be 0755, so I'd suggest trying that first before falling back to 0700.

-- dagolden

Re:Tar hacks

cosimo on 2008-09-28T06:29:02

David, thanks for the tip.

Frankly, I'm thinking that, like me, many CPAN authors that occasionally develop on Win32 will probably not know what's happening and how to fix.

Do we need to patch our build tools (EU::MM and friends?) I could help here. And yes, it will take ages for everyone to upgrade, I know, but still...

Re:Tar hacks

dagolden on 2008-09-28T14:13:42

A patch to EU::MM would help. Then Andreas could have the Indexer warning point people to upgrade their EU::MM.

-- David

Re:Tar hacks

cosimo on 2008-09-28T06:48:32

I tried this hack, and it sort of works. I had to drop the --owner=0 part, or my tar.exe would complain about non existing owner.

I ended up with:

move c:\bin\tar.exe c:\bin\gnutar.exe
vim c:\bin\tar.bat

In tar.bat:

@echo off
c:\bin\gnutar.exe %* --mode=0755

Uploaded the new Imager-SkinDetector 0.02 on CPAN and it was indexed correctly. Thanks!

See perl-qa

brian_d_foy on 2008-09-27T21:24:23

See the recent threads on the perl-qa list, especially Dealing with World-writable Files in the Archive of CPANDistributions. :)

Re:See perl-qa

cosimo on 2008-09-28T06:44:33

Yes, I'm on perl-qa. But I gave up reading that thread, for several reasons...

Motivation?

stu42j on 2008-09-29T19:17:35

Is this module just an excuse to assemble a collection of "sample images" for testing? ;)

Re:Motivation?

cosimo on 2008-09-29T20:22:24

Partly, yes. Damn, you caught me. :-)