Skip Menu |

This queue is for tickets about the ExtUtils-MakeMaker CPAN distribution.

Report information
The Basics
Id: 48024
Status: rejected
Worked: 10 min
Priority: 0/
Queue: ExtUtils-MakeMaker
People
Owner: Nobody in particular
Requestors: SREZIC [...] cpan.org
Cc:
AdminCc:
Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Mon Jul 20 12:10:26 2009 SREZIC [...] cpan.org - Ticket created
Subject: Forever running installed.t test (Acme::BadExample-related?)
Today I sent two fail reports testing 1.52_02 and 1.52_03. The fails were generated because I had to manually killed the test, they were literally running forever (check the "wallclock time" information in the test reports). My guess is that you're checking for the versions in the installed modules, and since I installed Acme::BadExample this one probably is causing an endless loop. If this is the case, then you should probably protect the version check using alarm() or so. Regards, Slaven
  Mon Jul 20 14:33:37 2009 yves [...] cpan.org - Correspondence added
This is not a bug in ExtUtils::Installed. It is a bug in ExtUtils::MakeMaker and or a bug in Acme::BadExample. The fact that you actually installed Acme::BadExample might also be construed as a bug. cheers, Yves
  Mon Jul 20 14:33:37 2009 The RT System itself - Status changed from 'new' to 'open'
  Mon Jul 20 14:33:38 2009 yves [...] cpan.org - Status changed from 'open' to 'rejected'
  Mon Jul 20 18:08:31 2009 SREZIC [...] cpan.org - Correspondence added
On Mon Jul 20 14:33:37 2009, YVES wrote: Show quoted text
> This is not a bug in ExtUtils::Installed. It is a bug in > ExtUtils::MakeMaker and or a bug in Acme::BadExample. > > The fact that you actually installed Acme::BadExample might also be > construed as a bug. >
Acme::BadExample is installed on this system because it's an automated smoker, installing everything. If you really think the bug is in EUMM, then you should probably just change the RT queue? Regards, Slaven
  Mon Jul 20 18:08:32 2009 The RT System itself - Status changed from 'rejected' to 'open'
  Mon Jul 20 18:42:57 2009 schwern [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #48024] Forever running installed.t test (Acme::BadExample-related?)
Date: Mon, 20 Jul 2009 15:42:34 -0700
To: bug-ExtUtils-Install [...] rt.cpan.org
From: Michael G Schwern <schwern [...] pobox.com>
Slaven_Rezic via RT wrote: Show quoted text
> Queue: ExtUtils-Install > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > > > On Mon Jul 20 14:33:37 2009, YVES wrote:
>> This is not a bug in ExtUtils::Installed. It is a bug in >> ExtUtils::MakeMaker and or a bug in Acme::BadExample. >> >> The fact that you actually installed Acme::BadExample might also be >> construed as a bug.
> > Acme::BadExample is installed on this system because it's an automated > smoker, installing everything.
Does a smoker need to install it? Show quoted text
> If you really think the bug is in EUMM, then you should probably just > change the RT queue?
Sure, MakeMaker will take it. -- 185. My name is not a killing word. -- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army http://skippyslist.com/list/
  Tue Jul 21 02:22:23 2009 SREZIC [...] cpan.org - Correspondence added
On Mon Jul 20 18:42:57 2009, schwern@pobox.com wrote: Show quoted text
> Slaven_Rezic via RT wrote:
> > Queue: ExtUtils-Install > > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > > > > > On Mon Jul 20 14:33:37 2009, YVES wrote:
> >> This is not a bug in ExtUtils::Installed. It is a bug in > >> ExtUtils::MakeMaker and or a bug in Acme::BadExample. > >> > >> The fact that you actually installed Acme::BadExample might also be > >> construed as a bug.
> > > > Acme::BadExample is installed on this system because it's an automated > > smoker, installing everything.
> > Does a smoker need to install it? >
There need to be smokers which install everything, smokers which install nothing, and smokers which install something. There's no only and true way to operate a smoker. Regards, Slaven
  Tue Jul 21 04:05:51 2009 demerphq [...] gmail.com - Correspondence added
CC: "Andreas J. Koenig" <andreas.koenig [...] franz.ak.mind.de>, Adam Kennedy <adamk [...] cpan.org>, Michael G Schwern <schwern [...] gmail.com>
Subject: Re: [rt.cpan.org #48024] Forever running installed.t test (Acme::BadExample-related?)
Date: Tue, 21 Jul 2009 10:05:31 +0200
To: bug-ExtUtils-Install [...] rt.cpan.org
From: demerphq <demerphq [...] gmail.com>
2009/7/21 Slaven_Rezic via RT <bug-ExtUtils-Install@rt.cpan.org>: Show quoted text
>       Queue: ExtUtils-Install >  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > > > On Mon Jul 20 18:42:57 2009, schwern@pobox.com wrote:
>> Slaven_Rezic via RT wrote:
>> >        Queue: ExtUtils-Install >> >  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > >> > >> > On Mon Jul 20 14:33:37 2009, YVES wrote:
>> >> This is not a bug in ExtUtils::Installed. It is a bug in >> >> ExtUtils::MakeMaker and or a bug in Acme::BadExample. >> >> >> >> The fact that you actually installed Acme::BadExample might also be >> >> construed as a bug.
>> > >> > Acme::BadExample is installed on this system because it's an automated >> > smoker, installing everything.
>> >> Does a smoker need to install it? >>
> > There need to be smokers which install everything, smokers which install > nothing, and smokers which install something. There's no only and true > way to operate a smoker.
Please direct this matter either to the CPAN admins or to Adam Kennedy or well, anywhere but me. I dont control ANY of the important parts of this equation, and it seems that my view that this module should not even BE on CPAN is not agreed by others. I certainly do not think that working around insanity like this is my problem. So far the general reaction has been "installing Acme::BadExample sounds like a dumb idea", and "its been a useful test of our infrastructure", however, the fact that the module does not prevent itself from being installed and essentially poisons ones install environment says to me it should not be on CPAN. Having said that according to Schwern the module is not indexed by CPAN, maybe for a good reason. Regardless. The bug here is in something OTHER than ExtUtils::Installed, and this ticket will remain closed or be transferred to a different queue. Possibly you should not install unindexed modules when cpan testing. I believe that that would have saved you here. Alternatively blacklist ADAMK's modules in the testing enviornment. Or just block this one. I dont know, i was my hands of this mess. cheers, Yves -- perl -Mre=debug -e "/just|another|perl|hacker/"
  Tue Jul 21 05:58:36 2009 adam [...] ali.as - Correspondence added
CC: bug-ExtUtils-Install [...] rt.cpan.org, "Andreas J. Koenig" <andreas.koenig [...] franz.ak.mind.de>, Adam Kennedy <adamk [...] cpan.org>, Michael G Schwern <schwern [...] gmail.com>
Subject: Re: [rt.cpan.org #48024] Forever running installed.t test (Acme::BadExample-related?)
Date: Tue, 21 Jul 2009 19:58:15 +1000
To: demerphq <demerphq [...] gmail.com>
From: Adam Kennedy <adamkennedybackup [...] gmail.com>
There are a number of fixes for this, probably including ExtUtils::MakeMaker attempting to handle unusual cases better, and Acme::BadExample failing (or hanging, or both) it's tests so that it can't be installed. The index solution is bad, it would rule out all dev releases. Adam K 2009/7/21 demerphq <demerphq@gmail.com>: Show quoted text
> 2009/7/21 Slaven_Rezic via RT <bug-ExtUtils-Install@rt.cpan.org>:
>>       Queue: ExtUtils-Install >>  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > >> >> On Mon Jul 20 18:42:57 2009, schwern@pobox.com wrote:
>>> Slaven_Rezic via RT wrote:
>>> >        Queue: ExtUtils-Install >>> >  Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > >>> > >>> > On Mon Jul 20 14:33:37 2009, YVES wrote:
>>> >> This is not a bug in ExtUtils::Installed. It is a bug in >>> >> ExtUtils::MakeMaker and or a bug in Acme::BadExample. >>> >> >>> >> The fact that you actually installed Acme::BadExample might also be >>> >> construed as a bug.
>>> > >>> > Acme::BadExample is installed on this system because it's an automated >>> > smoker, installing everything.
>>> >>> Does a smoker need to install it? >>>
>> >> There need to be smokers which install everything, smokers which install >> nothing, and smokers which install something. There's no only and true >> way to operate a smoker.
> > Please direct this matter either to the CPAN admins or to Adam > Kennedy or well, anywhere but me. > > I dont control ANY of the important parts of this equation, and it > seems that my view that this module should not even BE on CPAN is not > agreed by others. I certainly do not think that working around > insanity like this is my problem. > > So far the general reaction has been "installing Acme::BadExample > sounds like a dumb idea", and "its been a useful test of our > infrastructure", however, the fact that the module does not prevent > itself from being installed and essentially poisons ones install > environment says to me it should not be on CPAN. Having said that > according to Schwern the module is not indexed by CPAN, maybe for a > good reason. > > Regardless. The bug here is in something OTHER than > ExtUtils::Installed, and this ticket will remain closed or be > transferred to a different queue. > > Possibly you should not install unindexed modules when cpan testing. I >  believe that that would have saved you here. Alternatively blacklist > ADAMK's modules in the testing enviornment. Or just block this one. > > I dont know, i was my hands of  this mess. > > cheers, > Yves > > > -- > perl -Mre=debug -e "/just|another|perl|hacker/" >
  Tue Jul 21 06:20:51 2009 demerphq [...] gmail.com - Correspondence added
CC: bug-ExtUtils-Install [...] rt.cpan.org, "Andreas J. Koenig" <andreas.koenig [...] franz.ak.mind.de>, Adam Kennedy <adamk [...] cpan.org>, Michael G Schwern <schwern [...] gmail.com>
Subject: Re: [rt.cpan.org #48024] Forever running installed.t test (Acme::BadExample-related?)
Date: Tue, 21 Jul 2009 12:20:29 +0200
To: adam [...] ali.as
From: demerphq <demerphq [...] gmail.com>
2009/7/21 Adam Kennedy <adamkennedybackup@gmail.com>: Show quoted text
> There are a number of fixes for this, probably including > ExtUtils::MakeMaker attempting to handle unusual cases better, and
How? You can construct this kind of attack through almost any seemingly trivial code, including regexes. The only way to track it is something along the lines of alarm, which isnt portable. And i dont think the solution to this is technical, beyond specialized gateway scenarios like the CPAN upload framework. Alarm works there, and if it didnt we could hack a custom perl for andreas to gateway test code for stuff like that. I mean it seems to me that if you download code from CPAN the one thing that should be pretty reliably "safe" is the version line in a file. The real "solution" to this "problem" is what we do now. We armor the gateway, and then use community vigilance to catch the rest. If people upload bombs, they break someones setup, and we delete the module, and etc. I mean someone once put a "et phone home" in their Makefile.PL. The community found out, went berserk, and in the end the problem was resolved. Thats how you deal with stuff like that. Its not the perl way to try to blockade everything behind defensive barriers. We invite people into our living room because we trust them not to shit on the couch while they are there, and if people do, we dont invite them back. This "issue" seems to me to be much akin to saying that there is an "issue" that glass windows are suspectible to breakge due to having rocks thrown through them. Sure the police station (say Andreas' machines), might see this a real problem, as might certain other types of establishment, but for the common scenario, we assume that people wont be throwing rocks through peoples windows, and that if they do they will be caught. The problem isnt that the glass is not resistant to rocks it is the people throwing them who are the problem. To me this is the same. Show quoted text
> Acme::BadExample failing (or hanging, or both) it's tests so that it > can't be installed.
If i had found a ok(0); in the test file id have had no issues with it. cheers, Yves
  Tue Jul 21 08:06:11 2009 adam [...] ali.as - Correspondence added
CC: bug-ExtUtils-Install [...] rt.cpan.org, "Andreas J. Koenig" <andreas.koenig [...] franz.ak.mind.de>, Adam Kennedy <adamk [...] cpan.org>, Michael G Schwern <schwern [...] gmail.com>
Subject: Re: [rt.cpan.org #48024] Forever running installed.t test (Acme::BadExample-related?)
Date: Tue, 21 Jul 2009 22:05:53 +1000
To: demerphq <demerphq [...] gmail.com>
From: Adam Kennedy <adamkennedybackup [...] gmail.com>
2009/7/21 demerphq <demerphq@gmail.com>: Show quoted text
> If i had found a ok(0); in the test file id have had no issues with it.
I'll go with that immediate solution then. Adam K
  Tue Jul 21 12:13:18 2009 mschwern [...] cpan.org - Subject changed from 'Forever running installed.t test (Acme::BadExample-related?)' to 'Armor parse_version() against naughty $VERSION code'
  Tue Jul 21 12:13:18 2009 mschwern [...] cpan.org - Queue changed from ExtUtils-Install to ExtUtils-MakeMaker
  Tue Jul 21 12:13:27 2009 mschwern [...] cpan.org - Severity Wishlist added
  Tue Jul 21 12:15:35 2009 schwern [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #48024] Forever running installed.t test (Acme::BadExample-related?)
Date: Tue, 21 Jul 2009 09:15:14 -0700
To: bug-ExtUtils-Install [...] rt.cpan.org
From: Michael G Schwern <schwern [...] pobox.com>
demerphq via RT wrote: Show quoted text
> 2009/7/21 Adam Kennedy <adamkennedybackup@gmail.com>:
>> There are a number of fixes for this, probably including >> ExtUtils::MakeMaker attempting to handle unusual cases better, and
> > How? You can construct this kind of attack through almost any > seemingly trivial code, including regexes. The only way to track it is > something along the lines of alarm, which isnt portable.
I've taken this into the MakeMaker queue to think about how to deal with it. -- 3. Not allowed to threaten anyone with black magic. -- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army http://skippyslist.com/list/
  Mon Jul 27 09:57:42 2009 SREZIC [...] cpan.org - Correspondence added
On Tue Jul 21 06:20:51 2009, demerphq@gmail.com wrote: Show quoted text
> 2009/7/21 Adam Kennedy <adamkennedybackup@gmail.com>:
> > There are a number of fixes for this, probably including > > ExtUtils::MakeMaker attempting to handle unusual cases better, and
>
[...] Show quoted text
> The only way to track it is > something along the lines of alarm, which isnt portable.
I also thought that alarm() isn't portable. But neither "perldoc perlport" has an entry about alarm nor "perldoc -f alarm" has a note about not being implemented everywhere. Though I see a "#ifdef HAS_ALARM" in pp_alarm() in pp_sys.c Regards, Slaven
  Tue Jul 28 13:28:49 2009 schwern [...] pobox.com - Correspondence added
Subject: Re: [rt.cpan.org #48024] Armor parse_version() against naughty $VERSION code
Date: Tue, 28 Jul 2009 10:28:18 -0700
To: bug-ExtUtils-MakeMaker [...] rt.cpan.org
From: Michael G Schwern <schwern [...] pobox.com>
Slaven_Rezic via RT wrote: Show quoted text
> Queue: ExtUtils-MakeMaker > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=48024 > > > On Tue Jul 21 06:20:51 2009, demerphq@gmail.com wrote:
>> 2009/7/21 Adam Kennedy <adamkennedybackup@gmail.com>:
>>> There are a number of fixes for this, probably including >>> ExtUtils::MakeMaker attempting to handle unusual cases better, and
> [...]
>> The only way to track it is >> something along the lines of alarm, which isnt portable.
> > I also thought that alarm() isn't portable. But neither "perldoc > perlport" has an entry about alarm nor "perldoc -f alarm" has a note > about not being implemented everywhere. Though I see a "#ifdef > HAS_ALARM" in pp_alarm() in pp_sys.c
I can use alarm() if its available, that's a Config check. If its not either just go unarmored or take a different tack like run it in a thread. Windows is the primary non-alarm target and its very likely to have threads. -- 184. When operating a military vehicle I may *not* attempt something "I saw in a cartoon". -- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army http://skippyslist.com/list/
  Sun Dec 14 08:25:55 2014 ETJ [...] cpan.org - Correspondence added 10 min
Since the desire seems to be for something that will be immune to denial of service, this does seem a bit halting-problem-y. Marking as rejected, but if anyone can suggest a practical way of achieving this, I am all ears.
  Sun Dec 14 08:25:56 2014 ETJ [...] cpan.org - Status changed from 'open' to 'rejected'
  Sun Dec 14 14:00:08 2014 ether [...] cpan.org - Correspondence added
RT-Send-CC: schwern [...] pobox.com, adamk [...] cpan.org, demerphq [...] gmail.com, andreas.koenig [...] franz.ak.mind.de, adam [...] ali.as, adamkennedybackup [...] gmail.com, schwern [...] gmail.com
On 2014-12-14 05:25:55, ETJ wrote: Show quoted text
> Since the desire seems to be for something that will be immune to > denial of service, this does seem a bit halting-problem-y. > > Marking as rejected, but if anyone can suggest a practical way of > achieving this, I am all ears.
Module::Metadata aims to solve this problem by evaluating the version line in a Safe compartment. Indeed, this feature is one that is considered a blocker towards switching the PAUSE indexer and EUMM to using Module::Metadata.