Beefy Boxes and Bandwidth Generously Provided by pair Networks
The stupid question is the question not asked
 
PerlMonks  

Stop Using Perl

by shmem (Chancellor)
on Dec 30, 2014 at 18:46 UTC ( #1111750=perlnews: print w/replies, xml ) Need Help??

Sad news from Germany.

At the 31st Chaos Computer Club Congress, Netanel Rubin (a researcher within Checkpoint) gave a talk about Perl which boils down to misconceptions about lists in perl, which ends with this

Summary
  • Lists are hazardous, bizarre expressions
  • Perl is a hazardous, bizarre language
  • Now's the time to stop using Perl!
    • Stop the write-only code
    • Stop the miss-functional OOP
    • Stop the security breaches all over the place
  • At least know your language "features"

I am absolutely disappointed of the CCC for allowing such a shallow talk which culminates in bashing a language (perl in this case) for documented and expected behaviour of its syntax. The bugs encountered may be spectacular and lurking there for years, but they can easily be fixed from within, without altering the language in any way. How about ditching C and claiming "C programming is harmful" for the existence of the very common pitfall of something called "buffer overflow"?

And, more sadness, Fefe called it brilliant. A strong response from the perl community is due IMHO.

update: the "security breaches all over the place" are located in the small, but important, corner of web applications and the interaction between CGI and DBI. This is in no manner "all over the place". The author did in no way address "miss-functional OOP" nor "write-only code".

And of course you need to know the features of a language you use.

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Replies are listed 'Best First'.
Re: Stop Using Perl
by Jenda (Abbot) on Dec 31, 2014 at 00:50 UTC

    "just regular dictionaries, in Perl they are called hashes" ... and that, dear readers, is the point at which I'd either leave, open a book or start a game on my tablet or notebook.

    Nowadays anyone can call himself a "researcher" and give speeches.

    Jenda
    Enoch was right!
    Enjoy the last years of Rome.

      Nowadays anyone can call himself a "researcher" and give speeches
      So it seems. Googling for "Netanel Rubin" does not show any evidence of Perl (or Python for that matter) expertise. At least, I couldn't find any substantial code written by this guy. BTW, that is in stark contrast to Felix von Leitner (Fefe), who clearly is an accomplished programmer with lots of runs on the board. I couldn't find any runs on the board for Netanel and, in his first talk, I'm afraid he didn't score any.

      What I found offensive was his crude use of propaganda in the camel images accompanying the slides, and in the talk itself. At the start of the talk, for example, after acknowledging that this is his first talk, he urges the audience to say "F*** Perl". Breathtaking. Did his company really give permission to deliver such a vulgar talk?

      Update:

      • reddit discussion of Perl Jam talk in which Netanel Rubin replies that he is not a "Pythonista" (I see no evidence that he is an accomplished programmer in any language) and, embarrassingly, continues to display his ignorance of modern Perl, for which he is taken to task as "a complete novice who never even bothered to learn the language, and is instead relying on popular culture definitions of the language they heard from their equally ignorant peers". Other responses: "the idea that you expect foo($scalar, @array) to be called as if @array were an array reference is just nonsense ... that you showed those slides that claimed that that behavior was unexpected is the very definition of a straw man argument" and "Your argument is incoherent, reflects a misunderstanding of the nature of technical debt and the constraints of project maintenance with limited developer time, and is just about valid as an attack on Perl-as-of-2001 but makes no sense as a complaint against Perl-as-of-2014".
      • Bugzilla bug report in which Checkpoint are taken to task for disclosing the vulnerability to the media before Bugzilla had a chance to fix it and for exaggerating the severity of this vulnerability.

        > Breathtaking. Did his company really give permission to deliver such a vulgar talk?

        It's an Israeli company, the military has such a strong influence on formation in this society that being offensive (for European standards) is considered a virtue.

        I have many friends who came back (often after visiting family) and complained about the "lack of good manners"².

        See also Getting behind Israeli 'frankness' ¹

        IOW many don't shy away to risk talking bullshit, they expect you to talk back and give them reasons to shut up.

        In this sense, Mr Rubin yes you are a prick who didn't do his homework and this unprofessional talk will backfire on you! :)

        Cheers Rolf

        (addicted to the Perl Programming Language and ☆☆☆☆ :)

        ¹) Though after reading this blog Are Israeli rude I see Central Europeans somehow in the middle between Israeli rudeness and American "passive aggressiveness" ... of course well balanced! ;D

        ²) politely phrased (pun intended ;)

        update

        see also Haaretz # Can Israelis learn to have better manners?

        At the start of the talk, for example, after acknowledging that this is his first talk, he urges the audience to say "F*** Perl". Breathtaking. Did his company really give permission to deliver such a vulgar talk?
        I think guy was inspired by Eran Hammer's talk about OAuth ;) As for company's permission, from marketing point of view it is most important to be talked about, and a bit of vulgarity and strong statements help to achieve this goal, no matter if they are correct or wrong as long as they are resonate with the target audience, so sure, why not.
      > just regular dictionaries, in Perl they are called hashes

      I browsed thru the pdf and yes it seems pretty obvious at more than 3 slides that he is blaming Perl for not being Python. ¹

      Hail Python!°

      Cheers Rolf

      (addicted t (o the Perl Programming Language and ☆☆☆☆ :)

      °) Re^2: I want you to convince me to learn Perl

      update

      ¹) for those unaware dict(ionary) is very much a Python term for associative arrays

        And it seems Python is the only language he's somewhat proficient in and even that is a big black box to him. A script kiddie preaching to other script kiddies.

        Jenda
        Enoch was right!
        Enjoy the last years of Rome.

Re: Stop Using Perl
by Anonymous Monk on Dec 30, 2014 at 20:18 UTC

    How embarrasing for Netanel Rubin to embarrass himself and checkpoint.com like that

    http://blog.gerv.net/2014/10/new-class-of-vulnerability-in-perl-web-applications/

    Its amazing the amount of people that blame others for not reading the docs

    But you know whats even more amazing? They patched CGI.pm to warn about this

    # list context can be dangerous so warn: # http://blog.gerv.net/2014.10/new-class-of-vulnerability-in-perl- +web-applications if ( wantarray && $LIST_CONTEXT_WARN ) { my ( $package, $filename, $line ) = caller; if ( $package ne 'CGI' ) { warn "CGI::param called in list context from package $pack +age line $line, this can lead to vulnerabilities. " . 'See the warning in "Fetching the value or values of + a single named parameter"'; } }

    Whatever you thought about CGI.pm before, its about to get real stupid, its breaking backwards compatibility... that was like the only good thing left about it

      Bugs being addressed that fast is another reason for not to stop using such a bizarre language.

      perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

      You contradict yourself. You say the talk is embarrassing (and it is), that it's amazing that CGI.pm was patched to warn about this; then you complain that CGI.pm is "about to get real stupid" by breaking backwards compatibility. Do you not see the contradiction? Sometimes we have to break backwards compatibility to fix issues like this, and the "real stupid" thing is to turn a blind eye and say "well, it's legacy code so fuck it". Doing *that* gives Netanel Rubin, et al, even more fuel for their FUD.

      The fix highlighted in your post only breaks back compatibility for those with fatal warnings enabled - arguably those users with fatal warnings enabled are the most concerned about problems like these. As i've previously stated - v4 releases of CGI.pm will be back compatible (as much as can be when issues like this arise). v5 and beyond *may* not be. CGI.pm is no longer core and Lincoln has trusted me to DTRT. Regarding the v5 releases: "I am altering the deal, pray I don’t alter it any further."

        You say ... that it's amazing

        I'm fairly certain that what the other anon meant is "<sarcasm>amazing</sarcasm>", in which case he/she isn't contradicting him/herself.

        The fix highlighted in your post only breaks back compatibility for those with fatal warnings enabled

        No, at least not as of 4.13; the warning is unconditional and not fatal:

        $ perl -MCGI -sE 'say $CGI::VERSION' 4.13 $ perl -MCGI -E 'no warnings; my $x=CGI->new; $,=", "; say $x->param("x"); say "didnt die"' -- x=foo x=bar CGI::param called in list context from package main line 1, this can l +ead to vulnerabilities. See the warning in "Fetching the value or val +ues of a single named parameter" at /opt/perl5.20/lib/site_perl/5.20. +0/CGI.pm line 437. foo, bar didnt die $ perl -MCGI -E 'use warnings; my $x=CGI->new; $,=", "; say $x->param("x"); say "didnt die"' -- x=foo x=bar CGI::param called in list context from package main line 1, ... foo, bar didnt die $ perl -MCGI -E 'use warnings FATAL=>"all"; my $x=CGI->new; $,=", "; say $x->param("x"); say "didnt die"' -- x=foo x=bar CGI::param called in list context from package main line 1, ... foo, bar didnt die

        Assuming you're the current maintainer: if you want warnings that the user of CGI can enable, disable and make fatal themselves, you should be using warnings::warnif() with warnings::register instead of warn.

        BTW, 4.13 is showing up on search.cpan.org as an unauthorized release.

        You contradict yourself. You say...it's amazing that CGI.pm was patched...
        Definitions/usages of amazing include the notion of being "struck with some degree of horror". I see no contradiction.

        Here is a bug report for you, common pitfall

        $ perl -MCGI=escapeHTML -le " print escapeHTML(qw/ < < < / ) " &lt;

        Also, why not warn about html shortcuts getting used?

        Also, another pitfall you might be able to warn about in some cases, mixing exported param() with CGI->new ?

        Also, why not warn about header_printed ? (you already printed headers, second time doesn't count)

        And big one, warn about anyone using using ReadParse/->Vars

        :)

        Seem odd to have to force scalar context to get a single_value .. there should be a function for that
        sub CGI::first_param { return my( $first ) = param( @_ ); } sub CGI::last_param { return my $last = param( @_ ); }
Re: Stop Using Perl
by eyepopslikeamosquito (Chancellor) on Dec 31, 2014 at 22:21 UTC

    And, more sadness, Fefe called it brilliant.
    German monks please correct me if I'm way off here, but after doing some random googling on Felix von Leitner ("Fefe"), I get the impression that his latest Perl bashing comments are a very minor diversion for him compared to his other more serious activities, such as political campaigning against the German health card and abusive policing, plus membership of the Chaos Computer Club. I assume his political and security activities are why he is so well known in the mainstream German media.

    As for his programming pedigree, he seems to be a grandmaster of Security, Linux, embedded systems, and the C programming language. In terms of programming languages, I don't see much experience except for C. In particular, I don't see much experience in Python or Ruby either, so I doubt his opinion on this talk was in an area of his expertise.

    At least he knows how to write Perl though, having a fleitner CPAN account, and being the proud author of two CPAN distributions, Mirror-1.0 and WebMirror-1.0, though these two have not been updated since 1996.

    Updated: Minor corrections and wording changes.

      I'm a German monk and I seem to remember I heard his name before, but didn't recognize him when I commented.

      This guy seems to be very sarcastic and provocative, he also admits posting wrong stories in his blog to test the "media competence" of his audience.

      While I admit such personalities are useful in niches like open source and IT security, I'm not sure I want to meet them in real life¹.

      Anyway his comment was only limited to three phrases:

      Der Perl-Talk war großartig. Wer den verpasst hat, und mit Perl zu tun hat, sollte sich den dringend angucken. Popcorn bereithalten! :-)

      The Perl-talk was great. Those who missed it and have to deal with Perl, should urgently watch it. Keep your popcorn ready! :-)

      I haven't seen the video yet, but I have to admit that meditating about fat comma was worth talking about it.

      • I'm not sure which backwards compatibility would break if => would force scalar context on the RHS. Till now I can only imagine cases of syntactic sugar broken.

        After all that's the behavior most people seem to expect, list flattening like @c=(@a,@b) can still be done with a simple comma.

      • Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.

        For instance: Why should I even handle requests with multiple real_name ?

      Also worth noting that Sheldon (aka Python) has DWIM mechnanisms, when returning multiple values.

      >>> def func(): return 1 ... >>> func() 1 >>> def func(): return 1,2 ... >>> func() (1, 2) >>> def func(): return (1) ... >>> func() 1 >>> def func(): return (1,) ... >>> func() (1,)

      As you can see one element is "scalar", more are tuples and it's not that intuitive how to return a one element tuple.

      Cheers Rolf

      (addicted to the Perl Programming Language and ☆☆☆☆ :)

      ¹) For instance: I have friends who organized conferences with Richard Stallman and never want to meet him in real life again. This doesn't diminish his importance.

        The Perl-talk was great. Those who missed it and have to deal with Perl, should urgently watch it. Keep your popcorn ready! :-)

        In an earlier announcement he writes: "Um 22:00 verspricht der Perl-Vortrag hochkarätig zu werden." (At 22:00 the Perl lecture promises to be top-class.) Being an influential guy and to some extent spokesman for the CCC (although he dismisses that, his label is associated with the CCC) I judge that as intolerable.

        I haven't seen the video yet, but I have to admit that meditating about fat comma was worth talking about it.

        Your meditations are valid, but building an edge case for "fat comma" as it is, breaks orthogonality. Array context is array context, and that applies to %hash as LHS value.

        perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

        Agreed: the presentatation was quite insolent, but not without merit. There was food for thought. Slides with code and camel mugshots on the left, video inset of Netanel wearing a camel scarf on the right. Charming. :D

        Fat comma just implies a mapping relationship, and one-to-many is a possibility in the abstract sense. The problem is not limited to fat comma either. Consider: @k = qw(foo bar baz); @v = (1,bar(),3); %m = zip @k, @v;

        Power/flexibility is a double-edged sword. No news here. I do wonder though — what if the CGI method had been named params all along? Would that have resulted in fewer thinkos?

        As an American monk, we have a term that describes Leitner: "muck raker". And, at least as a Marine, we have an even better term: "slime".
        I'm not sure which backwards compatibility would break if => would force scalar context on the RHS.

        Try Moose attribute initializers, especially if you use grouping parentheses.

        Furthermore I'm not sure why HTTP responses aren't easily sanitized, such that fields which are not expected to hold multiple values are blocked/filtered before any further processing takes place.

        For instance: Why should I even handle requests with multiple real_name ?

        Hmm... odd thoughts

      German monks please correct me if I'm way off here

      You're not only not wide off, but dead on here (and not only here btw).

      perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
Re: Stop Using Perl
by pme (Parson) on Dec 30, 2014 at 20:53 UTC
    Hi shmem,

    Who is Fefe and why his opinion is so important?

      After reading some entries he seems to be one of these talkative (read "cool") security guys with a Messiah complex.

      The signature of his blog says

      Proudly made without PHP, Java, Perl, MySQL and Postgres

      So don't expect an unbiased or even scientific opinion.

      Cheers Rolf

      (addicted to the Perl Programming Language and ☆☆☆☆ :)

      PS: had to google his blog, the link was broken, maybe due to proud technology.

        Thanks Rolf, I suspected something similar.
      "Who is Fefe and why his opinion is so important?"

      Please see:

      ...because he writes in some influential german newspapers and magazines.

      Best regards, Karl

      «The Crux of the Biscuit is the Apostrophe»

        Thanks Karl, I learned his name.
Re: Stop Using Perl
by soonix (Monsignor) on Dec 31, 2014 at 21:37 UTC
    And, more sadness, Fefe called it brilliant.
    He called "the talk" great. That's not necessarily the content of the talk (or may be ironic). And his hint at popcorn shows that he expects...
    A strong response from the perl community
    I think he is aware of the fact that perl is a tool, and any tool that is powerful enough for serious work provides the possibility to $self->{FOOT}->shoot()
      ... (or may be ironic)

      He would have made that point and written "the talk, not the content".

      And his hint at popcorn shows that he expects...

      I read that rather as "Captain Obvious gives perl what it deserves."

      perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
Re: Stop Using Perl
by morgon (Curate) on Jan 03, 2015 at 23:43 UTC
    A strong response from the perl community is due IMHO.
    There will be a 32c3 congress in not quite a year's time - and the date is always a few days AFTER christmas...

    So why not hope for a talk about the newly released Perl 6 then? Would that not be a cool response? (if only I could believe in it :-)

    Let's hope Larry's talk at FOSDEM will be better publicity for Perl...

      Large parts of this talk are polemic shit but it mentions 2 or 3 issues which should be addressed in perl5, either by new features or better documentation.

      IMHO waiting for a year to rectify things or for perl6 to be the "cavalry" is not the right strategy.

      Update

      This video is going to be linked and cited at many places as "proof" that Perl is dead.

      Cheers Rolf

      (addicted to the Perl Programming Language and ☆☆☆☆ :)

      PS These issues are addressed in Perl 6, AFAIK.

Re: Stop Using Perl
by bloonix (Monk) on Jul 31, 2015 at 20:21 UTC
    The talk is just a rant, not more. Piss on it. ;-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlnews [id://1111750]
help
Chatterbox?
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others contemplating the Monastery: (4)
As of 2017-12-16 17:24 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    What programming language do you hate the most?




















    Results (457 votes). Check out past polls.

    Notices?