[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#878901: dh-make-perl: FTBFS with dpkg >= 1.19: "Insecure dependency in eval while running with -T switch"

Guillem Jover wrote...

> TBH, I was not aware that anyone was running Dpkg modules in taint
> mode.

Well, I do as well, in some private code. I can and probably will change
that, though.

> If people are really running this code in taint mode, I'm willing to
> discuss which parts of the API would make sense to cover or not, and
> what tradeoffs related to performance to take, etc.

Honestly, I cannot decide neither on this particular case nor in the
general. On the one hand, given the fact a author of a code library
never knows where and how people will actually use it, it's prudent to
play safe and write all libraries so they run in taint mode as well.
On the other hand, certainly a lot of existing Perl libraries do not
follow that principle anyway and you might consider that approach, while
desirable, not feasible. Also, there might be a readability tradeoff
which I consider even worse than performance. (I could benchmark the
cost of "use strict" and "use warnings" one day, I bet they're worse.)

It's one of the many things where I consider Perl beyond repair. The
language is fairly sloppy but today safeguards like taint mode should
be turned on by default to mitigate at least the worst issues that
exist. But nobody is willing to fix the massive breakage that would
happen then, so it's not going to happen.



Attachment: signature.asc
Description: Digital signature

Reply to: