Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"
Christoph Biedl
debian.axhn at manchmal.in-ulm.de
Thu Oct 19 20:46:37 UTC 2017
Guillem Jover wrote...
> TBH, I was not aware that anyone was running Dpkg modules in taint
> mode.
Well, I do as well, in some private code. I can and probably will change
that, though.
> If people are really running this code in taint mode, I'm willing to
> discuss which parts of the API would make sense to cover or not, and
> what tradeoffs related to performance to take, etc.
Honestly, I cannot decide neither on this particular case nor in the
general. On the one hand, given the fact a author of a code library
never knows where and how people will actually use it, it's prudent to
play safe and write all libraries so they run in taint mode as well.
On the other hand, certainly a lot of existing Perl libraries do not
follow that principle anyway and you might consider that approach, while
desirable, not feasible. Also, there might be a readability tradeoff
which I consider even worse than performance. (I could benchmark the
cost of "use strict" and "use warnings" one day, I bet they're worse.)
It's one of the many things where I consider Perl beyond repair. The
language is fairly sloppy but today safeguards like taint mode should
be turned on by default to mitigate at least the worst issues that
exist. But nobody is willing to fix the massive breakage that would
happen then, so it's not going to happen.
¢¢
Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20171019/85486528/attachment.sig>
More information about the pkg-perl-maintainers
mailing list