Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer


by JStrom (Pilgrim)
on Sep 28, 2008 at 23:40 UTC ( #714227=perlquestion: print w/ replies, xml ) Need Help??
JStrom has asked for the wisdom of the Perl Monks concerning the following question:

I tried to upload a new version and received the following error message:

The distribution contains the following world writable directories or files and is therefore considered a security breach and as such not being indexed (followed by a list of every file in the archive)

The only difference between this and the last version is that I did the make-dist on a different computer which is running Strawberry Perl whereas the module was last built using ActiveState Perl. (Not sure how that could make a difference though)

Anyone know what causes this?

Comment on PAUSE Error
Re: PAUSE Error
by graff (Chancellor) on Sep 29, 2008 at 04:06 UTC
    I don't have any direct experience with this, but I think the error message says it all. The computer where you used Strawberry Perl might not have been MS-Windows? (Or maybe it was Windows, but the setup with Strawberry knows how to set unix-style file permissions in the "normal" way).

    Anyway, your use of ActiveState tools seems to have created an upload package in which the unix-style permissions on directories and files allow "group" and "other" users to alter/add/replace file and directory contents. I've seen this sort of result whenever people upload stuff from a windows system to a unix/linux server, and I'm guessing that's the problem.

    Check the manual for whatever tool you use to create the uploaded package file (tar? zip?); there should be an option to control the unix-style file permissions (even though you are working from a Windows box). Make sure the permissions come out looking like "rwxr-xr-x" for directories and executable files, and "rw-r--r--" for other files.

    (If you are using "tar", run "tar tvf your_file.tar" to see how the permissions look.)

Re: PAUSE Error
by ikegami (Pope) on Sep 29, 2008 at 05:35 UTC

    The only difference between this and the last version is that I did

    It may not be a difference in what you did. I believe this security problem surfaced recently (but I can't find the link) and therefore the message could be the result of a recent change to PAUSE. Address the issue stated in the message rather than trying to figure out what you did different.

    Update: Below, brian d foy posted the aforementioned link I couldn't find: Dealing with World-writable Files in the Archive of CPANDistributions. He also confirmed my suspicions that this is a recent change.

Re: PAUSE Error
by Anonymous Monk on Sep 29, 2008 at 06:35 UTC
    Its an old bug in the PAUSE indexer (it should force permissions to whatever its requirements are), I would report it (might get resolved this time).

      It's not a bug in PAUSE, it's a new feature. PAUSE doesn't attempt to change any distributions. It doesn't index them if they'd unwrap with world-writeable bits. This is designed to keep these distributions from being downloaded until the author can fix them.

      brian d foy <>
      Subscribe to The Perl Review
Re: PAUSE Error
by brian_d_foy (Abbot) on Sep 29, 2008 at 07:09 UTC

    This is a change to the PAUSE indexer. It's no longer indexing things that are world-writeable. See the recent threads on the perl-qa list, especially Dealing with World-writable Files in the Archive of CPANDistributions, as well as the discussion on use.perl.

    The fix is to find out which tar you are using and how to set its default permissions, even if you are on Windows. Although Windows doesn't have the idea of unixy permissions, the things it tars up untar in certain ways on Unix.

    Good luck, :)

    brian d foy <>
    Subscribe to The Perl Review
Re: PAUSE Error
by syphilis (Canon) on Sep 29, 2008 at 07:22 UTC
    I use GNU tar on Windows to tar my CPAN distros. It has given me no trouble. (My latest tarball upload to CPAN was about 30 hours ago.) Here's the output of my 'tar --version':
    tar (GNU tar) 1.13.19 Copyright 2001 Free Software Foundation, Inc. This program comes with NO WARRANTY, to the extent permitted by law. You may redistribute it under the terms of the GNU General Public Lice +nse; see the file named COPYING for details. Written by John Gilmore and Jay Fenlason.
Re: PAUSE Error
by JStrom (Pilgrim) on Sep 29, 2008 at 21:16 UTC
    Fixed, that was the problem. It appears that I have two copies of tar on my machine and when I switched around the path to use strawberry, I also switched which version I was running. (tar 1.12 was setting the permissions to 0666 but tar 1.20 uses 0700)

    Many thanks.

Re: PAUSE Error
by GrandFather (Cardinal) on Oct 19, 2008 at 00:14 UTC

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://714227]
Approved by ikegami
Front-paged by ikegami
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (5)
As of 2014-08-29 02:37 GMT
Find Nodes?
    Voting Booth?

    The best computer themed movie is:

    Results (275 votes), past polls