Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation

Re: why I will not use ActiveState again

by syphilis (Chancellor)
on Dec 01, 2006 at 13:54 UTC ( #587189=note: print w/replies, xml ) Need Help??

in reply to why I will not use ActiveState again
in thread Getting Fed Up with ActiveState

They totally replaced File::Path with another implementation that has different bugs and the same version number

You're quite right - which surprised me. A diff of ActivePerl build 819 and perl 5.8.8 built from CPAN source produced (in part) the following:
-our $VERSION = "1.08"; # but modified for ActivePerl +our $VERSION = "1.08";
I think they should have at least made mention of the modification in the File::Path documentation.


Replies are listed 'Best First'.
Re^2: why I will not use ActiveState again
by gisle (Novice) on Dec 01, 2006 at 23:18 UTC
    You'll find the following note in the ActivePerl ChangeLog:
    * File::Path's rmtree() function has been replaced to address security vulnerability CAN-2005-0448.

    We have basically adopted the version from Debian Linux.

    BTW, we also publish this patch file that documents how the current ActivePerl differs from the official 5.8.8.

      Unfortunately, when someone comes to me and says, "Your module produces errors or warnings on my ActivePerl install," it's difficult for me to determine that it's because a core module several layers up the chain is different. I certainly don't want to consult that patch file for every recursively included module. The changed rmtree didn't just address some vulnerability, it introduced at least one new behavior, carping on [] as the first arg to rmtree. With a core that doesn't behave like the perl core, it's harder to support. The changes may be minor, but they're distracting and make debugging take significantly longer where it shouldn't, liked in pure Perl modules. As someone who tries to support every platform, I find it very frustrating.
        it's difficult for me to determine that it's because a core module several layers up the chain is different

        I think that point of yours (along with the rest of your post) is fair enough. And I also think that ActiveState's decision to modify the module is fair enough.

        So ... let's get constructive about the issue ... what should they be doing (from the perspective of a module author) when they perceive a need to amend a core module ?


Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://587189]
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others examining the Monastery: (2)
As of 2018-04-21 08:40 GMT
Find Nodes?
    Voting Booth?