Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re^2: Getting Fed Up with ActiveState

by tsee (Curate)
on Dec 03, 2006 at 18:06 UTC ( #587532=note: print w/ replies, xml ) Need Help??


in reply to Re: Getting Fed Up with ActiveState
in thread Getting Fed Up with ActiveState

There is a very definite reason not to do this in the general case.

The people who have set up CPAN mirrors are donating their bandwidth and storage. If we started uploading binaries (be it PPM or .par's) of all CPAN modules for all versions of perl and for several OS's, the size of the CPAN archive would explode. That might or rather will be considered abuse.

A further issue is that the distribution of binaries from untrusted sources is a major security issue. Suppose anybody could upload a binary for any module. Madness!

Now, laying these points aside, let me tell you that I am regularily uploading binaries to CPAN. Yes, you read that right. I'm violating my own advice here.

Reason for this lies in the nature of those binaries: They're binary builds of PAR (now PAR::Packer) for win32 only. Mainly, this is because PAR has itself traits of a package manager and providing a binary can mean the user does not need to do fancy bootstrapping to get it to work. This has been relaxed now that PAR was split into two distributions, however. The other reason is that Win32 is one of the major user platforms for PAR and doesn't always come with a C compiler. Furthermore, the security issue is sort of minimized by that those packages are always by the same CPAN user as the release manager for PAR itself.

That being said: Why upload PPM's to CPAN which can only reasonably be used with a single specific distribution of perl? (ActivePerl)
Instead, you could use .par archives and provide support for auto-installing them if no compiler was found. This works well with PAR right now.

Steffen


Comment on Re^2: Getting Fed Up with ActiveState
Re^3: Getting Fed Up with ActiveState
by BrowserUk (Pope) on Dec 03, 2006 at 19:10 UTC
    Yes, you read that right. I'm violating my own advice here.

    S'funny how things are okay for 'special cases', when those special cases are close to our own hearts.

    The people who have set up CPAN mirrors are donating their bandwidth and storage.

    Some interesting numbers. Template::Toolkitv2.15.zip PPM is 494 Kb.

    Template::Toolkitv2.15 .tar.gz is 761 Kb.

    There are currently no less than 15 versions of the latter being mirrored. Loosing two of those old versions (to say backpan) would allow 3 versions of the PPM to be held without creating any extra demand on the mirrors.

    the distribution of binaries from untrusted sources is a major security issue.

    Do you inspect every line of every source file in each package you install? What about all the .t files? Does anyone?

    Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.

    There is a pervasive logical disconnect here that says source is safe and binary not. But pervasive does not mean correct. Any and all software sourced from outside your organisation is potentially dangerous. And the idea that all the risks are negated by the potential for visual inspection, even if anyone actually did that--which they don't--is so profoundly wrong, that the idea itself, and those that expound it, should be actively and vigorously countered at every opportunity.


    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.

      Addressing your remark about special cases: It wasn't me who started doing those binary releases of PAR. I just became responsible for the PAR releases and continued ongoing practice.

      Whether 15 versions of Template::Toolkit should be supplied via CPAN is an entirely different question than whether we should add various PPM packages per distribution.

      Furthermore, I do know organizations who only allow thoroughly inspected code to be used. But that doesn't matter. It's a question of principle.

      Why would you view the authors of source distributions as trustworthy, and those same people packaging those same modules in binary form as untrustworthy? If you have the processes and procedures in place to verify the integrity of your systems when you build a module from CPAN via a source distribution, those same processes and procedures should also be used to detect miscreant binary installations.

      That's ridiculous. Disassemble shared libraries? I don't think so. Also, you suggested that anybody should be able to upload PPMs for any modules.

      Steffen

        That's ridiculous. Disassemble shared libraries?

        It would be, had that been what I suggested, but I did not. But that you bring it up as a strawman to knock down signposts your intent.

        Ensuring the integrity of your systems by static inspection of code is impossible, even for only moderately complex software.

        The correct way to test software is by running it and observing it's behaviour. Eg. In a sandox environment. Anything less is make-work for a false sense of security.

        you suggested that anybody should be able to upload PPMs for any modules.

        Where?


        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://587532]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (6)
As of 2014-07-14 05:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (255 votes), past polls