Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

Safe.pm considered unsafe?

by dragonchild (Archbishop)
on Dec 29, 2004 at 19:54 UTC ( #418065=perlmeditation: print w/ replies, xml ) Need Help??

I posted here several months ago regarding a security alert on bugtraq regarding Safe. Recently, I've been made aware of an email exchange in the past week with tbunce regarding Safe in which he says:
Tim Bunce <xxxxx@xxxxx.xxxxx> writes: > Safe was a failed experiment. I don't maintain it. > > Tim. > > On Sun, Dec 19, 2004 at 02:23:07AM +0000, Terrence Brannon wrote: >> Hi Tim, >> >> I am trying to update a CPAN module named Resources: >> >> http://search.cpan.org/dist/Resources >> >> After running make test on it, the module opens an editor and then >> after I exit the editor, the test fails with this error: >> >> (in cleanup) Can't use an undefined value as a symbol refere +nce >> at /usr/lib/perl/5.8/Safe.pm line 99 during global destructi +on. >> >> The reason I am writing you about this is twofold: >> >> 1/ the AUTHOR section indicates you were the last to update Safe >> 2/ the AUTHOR section has an old email address for you which you mi +ght >> want to change: >> >> xxxxx@xxxxx.xxxxx >> >> Cheers, >> Terrence >>

I don't know about you, but that bothers me significantly. However, I haven't seen anything anywhere regarding this. What information do others have regarding the safety of Safe?

Edited by Chady -- obscured email address.

Update: I added the whole email thread as it was given to me.

Being right, does not endow the right to be rude; politeness costs nothing.
Being unknowing, is not the same as being stupid.
Expressing a contrary opinion, whether to the individual or the group, is more often a sign of deeper thought than of cantankerous belligerence.
Do not mistake your goals as the only goals; your opinion as the only opinion; your confidence as correctness. Saying you know better is not the same as explaining you know better.

Comment on Safe.pm considered unsafe?
Download Code
Re: Safe.pm considered unsafe?
by Joost (Canon) on Dec 30, 2004 at 01:08 UTC
Re: Safe.pm considered unsafe?
by perrin (Chancellor) on Dec 30, 2004 at 02:31 UTC
    I don't know anyone who uses Safe in a production environment, and I would certainly never do it. Unlike taint mode, it just doesn't get enough attention to trust it.
      Unless the PAUSE docs are out of date, it uses it:
      Please make sure all your *.pm files contain a $VERSION variable that conforms to the CPAN rules, i.e. the complete computation of $VERSION must take place on the one first line within the module that assigns to it. You can test if this is the case by running
      perl -MExtUtils::MakeMaker -le 'print MM->parse_version(shift)' 'fil +e'
      on the filenames in question. The CPAN indexer will run this code within a Safe compartement, so maybe even if the above command succeeds, PAUSE may fail if you're doing file IO or other potentially dangerous things within that line.
      Reviving a thread five years old, yeah!

      There have been a lot of people using it in production for a long time. It is a great module as long as you realize it is for protecting users from themselves, i.e. disallowing open() and such. It is not for securing a system.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://418065]
Approved by idsfa
Front-paged by stvn
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (8)
As of 2014-12-26 00:44 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (163 votes), past polls