Bug #20168 for CPAN: Module::Signature warning appears even when no gpg is present

Wed Jun 28 11:25:40 2006 dagolden [...] cpan.org - Ticket created

Subject:

Module::Signature warning appears even when no gpg is present

Per comments in source, Module::Signature suggestion isn't supposed to appear unless Crypt::OpenPGP is available or gpg is present. However, the test for gpg looks for a defined gpg config, which gives a false positive if the gpg config is just an empty string. Proper semantic should test that the contents of the gpg config is executable. See patch below. --- CPAN.pm.orig Tue Jun 27 21:56:21 2006 +++ CPAN.pm Tue Jun 27 21:57:21 2006 @@ -920,7 +920,7 @@ # No point in complaining unless the user can # reasonably install and use it. if (eval { require Crypt::OpenPGP; 1 } || - defined $CPAN::Config->{'gpg'}) { + -x $CPAN::Config->{'gpg'}) { $CPAN::Frontend->myprint(qq{ CPAN: Module::Signature security checks disabled because Module::Signature not installed. Please consider installing the Module::Signature module.

Sat Jul 22 07:41:02 2006 andreas.koenig.gmwojprw [...] franz.ak.mind.de - Correspondence added

Subject:	Re: [rt.cpan.org #20168] Module::Signature warning appears even when no gpg is present
Date:	Sat, 22 Jul 2006 13:40:38 +0200
To:	bug-CPAN [...] rt.cpan.org
From:	andreas.koenig.gmwojprw [...] franz.ak.mind.de (Andreas J. Koenig)

Show quoted text

>>>>> On Wed, 28 Jun 2006 11:25:40 -0400 (EDT), " via RT" <bug-CPAN@rt.cpan.org> said:

Show quoted text

> Wed Jun 28 11:25:40 2006: Request 20168 was acted upon. > Transaction: Ticket created by DAGOLDEN > Queue: CPAN > Subject: Module::Signature warning appears even when no gpg is present > Broken in: (no value) > Severity: Normal > Owner: Nobody > Requestors: DAGOLDEN@cpan.org > Status: new > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=20168 >

Show quoted text

> Per comments in source, Module::Signature suggestion isn't supposed to > appear unless Crypt::OpenPGP is available or gpg is present. However, > the test for gpg looks for a defined gpg config, which gives a false > positive if the gpg config is just an empty string. Proper semantic > should test that the contents of the gpg config is executable. See > patch below.

Show quoted text

> --- CPAN.pm.orig Tue Jun 27 21:56:21 2006 > +++ CPAN.pm Tue Jun 27 21:57:21 2006 > @@ -920,7 +920,7 @@ > # No point in complaining unless the user can > # reasonably install and use it. > if (eval { require Crypt::OpenPGP; 1 } || > - defined $CPAN::Config->{'gpg'}) { > + -x $CPAN::Config->{'gpg'}) {

No, this fix is not correct because we neither demand absolute paths nor that the proper extension is present, so we either go through the whole complex search business or we check for whitespace-only. I've tried the latter, the easier path in rev. 730. Will appear in 1.87_53 in the next hours. -- andreas

Sat Jul 22 07:41:06 2006 The RT System itself - Status changed from 'new' to 'open'

Sat Jul 22 09:28:41 2006 dagolden [...] cpan.org - Correspondence added

From:

DAGOLDEN [...] cpan.org

On Sat Jul 22 07:41:02 2006, andreas.koenig.gmwojprw@franz.ak.mind.de wrote: Show quoted text

> No, this fix is not correct because we neither demand absolute paths > nor that the proper extension is present, so we either go through the > whole complex search business or we check for whitespace-only. > > I've tried the latter, the easier path in rev. 730. Will appear in > 1.87_53 in the next hours.

What happens if $CPAN::Config->{'gpg'} is the empty string? From rev 731, it looks like it would still warn. I think that's a problem because when CPAN generates the config file, it puts "q[]" for programs it can't find. On a system without Crypt::OpenPGP and gpg, it doesn't seem like CPAN should be carping about Module::Signature. Checking for whitespace is also a problem because of RT#20272 -- CPAN::FirstTime loses whitespace on the next "autoconfigure" run.

Sat Jul 22 09:52:45 2006 andreas.koenig.gmwojprw [...] franz.ak.mind.de - Correspondence added

Subject:	Re: [rt.cpan.org #20168] Module::Signature warning appears even when no gpg is present
Date:	Sat, 22 Jul 2006 15:52:28 +0200
To:	bug-CPAN [...] rt.cpan.org
From:	andreas.koenig.gmwojprw [...] franz.ak.mind.de (Andreas J. Koenig)

Show quoted text

>>>>> On Sat, 22 Jul 2006 09:28:41 -0400, " via RT" <bug-CPAN@rt.cpan.org> said:

Show quoted text

> Queue: CPAN > Ticket <URL: http://rt.cpan.org/Ticket/Display.html?id=20168 >

Show quoted text

> On Sat Jul 22 07:41:02 2006, andreas.koenig.gmwojprw@franz.ak.mind.de wrote:

>> No, this fix is not correct because we neither demand absolute paths >> nor that the proper extension is present, so we either go through the >> whole complex search business or we check for whitespace-only. >> >> I've tried the latter, the easier path in rev. 730. Will appear in >> 1.87_53 in the next hours.

Show quoted text

> What happens if $CPAN::Config->{'gpg'} is the empty string? From rev > 731, it looks like it would still warn.

I do not think so. Let's see: cpan[1]> m Module::Signature CPAN: Storable loaded ok Going to read /home/k/.cpan/Metadata Database was generated on Fri, 21 Jul 2006 20:29:48 GMT Module id = Module::Signature DESCRIPTION Module signature file manipulation CPAN_USERID AUTRIJUS (Audrey Tang <cpan@audreyt.org>) CPAN_VERSION 0.54 CPAN_FILE A/AU/AUTRIJUS/Module-Signature-0.54.tar.gz UPLOAD_DATE 2006-05-11 DSLIP_STATUS cdpfp (pre-alpha,developer,perl,functions,Standard-Perl) INST_FILE (not installed) cpan[3]> o conf gpg '' gpg [] cpan[4]> get Devel::Symdump Running get for module Devel::Symdump CPAN: Digest::SHA loaded ok CPAN: Compress::Zlib loaded ok Checksum for /home/k/.cpan/sources/authors/id/A/AN/ANDK/Devel-Symdump-2.0602.tar.gz ok Scanning cache /home/k/.cpan/build for sizes Devel-Symdump-2.0602/ Devel-Symdump-2.0602/t/ Devel-Symdump-2.0602/t/recur.t Devel-Symdump-2.0602/t/export.t Devel-Symdump-2.0602/t/tree.t Devel-Symdump-2.0602/t/symdump.t Devel-Symdump-2.0602/t/pod.t Devel-Symdump-2.0602/t/autogen.t Devel-Symdump-2.0602/t/diff.t Devel-Symdump-2.0602/t/podcover.t Devel-Symdump-2.0602/ChangeLog.svn Devel-Symdump-2.0602/MANIFEST Devel-Symdump-2.0602/ChangeLog Devel-Symdump-2.0602/lib/ Devel-Symdump-2.0602/lib/Devel/ Devel-Symdump-2.0602/lib/Devel/Symdump.pm Devel-Symdump-2.0602/lib/Devel/Symdump/ Devel-Symdump-2.0602/lib/Devel/Symdump/Export.pm Devel-Symdump-2.0602/Makefile.PL Devel-Symdump-2.0602/README Devel-Symdump-2.0602/META.yml Devel-Symdump-2.0602/SIGNATURE Removing previously used /home/k/.cpan/build/Devel-Symdump-2.0602 You see: no warning. Show quoted text

> I think that's a problem > because when CPAN generates the config file, it puts "q[]" for programs > it can't find.

Show quoted text

> On a system without Crypt::OpenPGP and gpg, it doesn't seem like CPAN > should be carping about Module::Signature.

D'accord. Show quoted text

> Checking for whitespace is also a problem because of RT#20272 -- > CPAN::FirstTime loses whitespace on the next "autoconfigure" run.

Yes, I have not yet fully thought about this bug report. -- andreas

Sat Jul 22 11:51:57 2006 dagolden [...] cpan.org - Correspondence added

Subject:	Re: [rt.cpan.org #20168] Module::Signature warning appears even when no gpg is present
Date:	Sat, 22 Jul 2006 11:51:35 -0400
To:	bug-CPAN [...] rt.cpan.org
From:	David Golden <dagolden [...] cpan.org>

andreas.koenig.gmwojprw@franz.ak.mind.de via RT wrote: Show quoted text

> > What happens if $CPAN::Config->{'gpg'} is the empty string? From rev > > 731, it looks like it would still warn.

> > I do not think so. Let's see:

Sorry. I misread the "&&" as "||". Thanks for making the fix. David

Sun Jul 23 02:42:55 2006 ANDK [...] cpan.org - Correspondence added

Fixed in 1.87_53

Sun Jul 23 02:42:58 2006 ANDK [...] cpan.org - Status changed from 'open' to 'resolved'