Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scanning /tmp and publishing found pathnames potentially considered harmful #4

Closed
andk opened this issue Oct 23, 2013 · 2 comments
Closed

Scanning /tmp and publishing found pathnames potentially considered harmful #4

andk opened this issue Oct 23, 2013 · 2 comments

Comments

@andk
Copy link

andk commented Oct 23, 2013

This test report might be considered spying by some. Please take utmost care that you do not scan directories you do not own.

http://www.cpantesters.org/cpan/report/8d9bf222-39ee-11e3-bbd4-fb49f34aa4a3

Curious what went wrong here. I'm blocking my smoker for 0.4.0 now

Thanks,
@kentfredric
Copy link
Member

Thanks for the report. Its not so much intended as "Spying" but a symptom of the rather flimsy nature of heuristic based analysis, especially when it comes to filesystems, determining "is this directory a development directory, or a child of one" is hard to compute reliably.

Because to determine if a directory is "a child of a development directory", one must uplevel until one finds the development directory, or uplevel until one hits the OS root.

Unfortunately, the real reason it false-positives on your smoker is lost because it falls below the output length limit. "Somewhere" at the end of the trace it would have reported something suggesting a false positive reason.

I have plans to make this better, its just a very hard problem really.

For instance, to guard against the possibility that Config{*libexp} might be nested underneath something that is a development directory, a future Path::FindDev will cease searching if it reaches one of those paths, requiring user intervention if they want to search beyond there.

And any values of File::HomeDir->* will be eventually be "stopping points".

And this test itself should only be downgraded to a warning, because the problem this test is attempting to warn users against is the possibility that the module will, for some reason, not work on their machine, but its testing the entirely wrong places for that, so this specific test will be nixed, and maybe at very most emit the conclusive reason why it false positived ( easier for me to do now, no need to do aggressive debug output to see it )

The reason is really there are a host of ways this module may not work in some cases for users with unusual filesystem layouts, and so this test is attempting to smoke those problems out in advance of the module being installed, so that the user isn't knowingly running code that is broken.

@andk
Copy link
Author

andk commented Oct 23, 2013

Thanks for your quick reply. I'd be grateful if you could make a new
release available soon, it makes me nervous to see this test in wide circulation.

The reason is really there are a host of ways this module may not work in some
cases for users with unusual filesystem layouts

The world is full with unusual filesystem layouts. Please write your
code as defensive as possible.

Thanks again,

andreas

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andk @kentfredric