Guillem Jover wrote... > TBH, I was not aware that anyone was running Dpkg modules in taint > mode. Well, I do as well, in some private code. I can and probably will change that, though. > If people are really running this code in taint mode, I'm willing to > discuss which parts of the API would make sense to cover or not, and > what tradeoffs related to performance to take, etc. Honestly, I cannot decide neither on this particular case nor in the general. On the one hand, given the fact a author of a code library never knows where and how people will actually use it, it's prudent to play safe and write all libraries so they run in taint mode as well. On the other hand, certainly a lot of existing Perl libraries do not follow that principle anyway and you might consider that approach, while desirable, not feasible. Also, there might be a readability tradeoff which I consider even worse than performance. (I could benchmark the cost of "use strict" and "use warnings" one day, I bet they're worse.) It's one of the many things where I consider Perl beyond repair. The language is fairly sloppy but today safeguards like taint mode should be turned on by default to mitigate at least the worst issues that exist. But nobody is willing to fix the massive breakage that would happen then, so it's not going to happen. ¢¢ Christoph
Attachment:
signature.asc
Description: Digital signature