Bug#588017: perl: current directory in @INC potentially harmful
Niko Tyni
ntyni at debian.org
Sat Apr 2 09:36:52 UTC 2016
On Fri, Apr 01, 2016 at 11:21:45PM +0100, Dominic Hargreaves wrote:
> On Mon, Mar 12, 2012 at 09:49:59PM +0200, Niko Tyni wrote:
> > Just a note that this topic has resurfaced upstream; the thread starts at
> > http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2012-03/msg00265.html
>
> And again, this time with a patch:
>
> https://rt.perl.org/Public/Bug/Display.html?id=127810
Thanks for the note.
For reference, the patch adds a new Configure option (-Dfortify_inc)
that removes cwd from @INC unless a special environment variable is set
at runtime.
> I think that we would want to apply this as soon as practical (assuming
> it gets merged to blead) but I'm not sure if that extends as far as
> us patching 5.24 in Debian. An experimental rebuild would be worthwhile,
> at least.
The patch itself should be harmless (assuming it really is only limited
to -Dfortify_inc), but I doubt we can activate the option soon. Staging
things for a test rebuild will certainly be necessary first, and
testing early would probably give useful information for the upstream
ticket. Our rebuilds cover a different set of software from the upstream
CPAN smoking process.
Overall, this is still in the upstream development stage, and test
rebuilds to help that could be done with a locally patched perl package.
I don't see much need or use for uploading the patch to Debian at this
point, as I suspect this is realistically stretch+1 material.
I note that removing '.' from @INC by default will certainly break
local (non-packaged) Perl programs for some users. This change will need
prominent documentation and is still likely to result in some frustration,
although it's certainly for the greater good.
--
Niko Tyni ntyni at debian.org
More information about the Perl-maintainers
mailing list