Skip Menu |
 

This queue is for tickets about the Module-Build CPAN distribution.

Report information
The Basics
Id: 30789
Status: resolved
Priority: 0/
Queue: Module-Build

People
Owner: Nobody in particular
Requestors: adamkennedybackup [...] gmail.com
Cc:
AdminCc:

Bug Information
Severity: (no value)
Broken in: (no value)
Fixed in: (no value)



CC: "List - Module-Build" <module-build [...] perl.org>, bug-Module-Build [...] rt.cpan.org
Subject: Re: Version parsing confused by sub version {}
Date: Sat, 17 Nov 2007 12:38:26 +1100
To: "Michael G Schwern" <schwern [...] pobox.com>
From: "Adam Kennedy" <adamkennedybackup [...] gmail.com>
Download (untitled) / with headers
text/plain 1.4k
Dear god that is evil. How the hell is doing that sort of stuff. Adam K On 17/11/2007, Michael G Schwern <schwern@pobox.com> wrote: Show quoted text
> > A bug in MakeMaker's parse_version() was found recently. Module::Build > has > the same bug. > https://rt.cpan.org/Ticket/Display.html?id=30747 > > It's reproducible by getting the version from a module like this: > > $VERSION = 1.23; sub version { $VERSION } > > and then this: > > use version; $VERSION = version->new(2.34); > > The version() routine pollutes the namespace in which the $VERSION code is > evaled. It thinks version->new() is version()->new() calling the > polluting > version() routine. MakeMaker fixed it by deleting any version() routines > from > the symbol table before trying to eval the $VERSION code. > > Here's code to reproduce: > > $ cat Version_Sub.pm > package Version_Sub; > > $VERSION = 1.23; sub version { $VERSION } > > 1; > > > $ cat Uses_version.pm > package Uses_version.pm; > > use version; $VERSION = version->new(2.34); > > 1; > > > $ perl -wle 'use aliased "Module::Build::ModuleInfo"; print > ModuleInfo->new_from_file("Version_Sub.pm")->version; print > ModuleInfo->new_from_file("Uses_version.pm")->version' > 1.23 > Can't call method "new" without a package or object reference at (eval 10) > line 8, <GEN1> line 3. > > > -- > Insulting our readers is part of our business model. > http://somethingpositive.net/sp07122005.shtml > >
Subject: Re: [rt.cpan.org #30789] Re: Version parsing confused by sub version {}
Date: Sat, 17 Nov 2007 00:21:00 -0800
To: bug-Module-Build [...] rt.cpan.org
From: Michael G Schwern <schwern [...] pobox.com>
Download (untitled) / with headers
text/plain 226b
Adam Kennedy via RT wrote: Show quoted text
> Dear god that is evil.
It's an entirely unintentional consequence of an innocent bit of code. The evil is our mechanic for determining versions. -- Stabbing you in the face for your own good.
Subject: Re: [rt.cpan.org #30789] Re: Version parsing confused by sub version {}
Date: Sat, 17 Nov 2007 22:35:09 +1100
To: bug-Module-Build [...] rt.cpan.org
From: "Adam Kennedy" <adamkennedybackup [...] gmail.com>
Download (untitled) / with headers
text/plain 966b
It is a violation of trust. We execute arbitrary code in the version checking mechanism. We've had options to NOT do that and write things that checked it without executing arbitrary code. Unfortunately, things like "use version; $VERSION = qv{...};" have locked us into the pact. We execute arbitrary code, we thus must expect people setting their $VERSION strings to not abuse that. Thus, evil. Believe me, I'd FAR prefer to just write a PPI-like routine that reads $VERSION as a string and doesn't execute anything. But that is obviously not going to happen. Adam K On 17/11/2007, Michael G Schwern via RT <bug-Module-Build@rt.cpan.org> wrote: Show quoted text
> > > <URL: http://rt.cpan.org/Ticket/Display.html?id=30789 > > > Adam Kennedy via RT wrote:
> > Dear god that is evil.
> > It's an entirely unintentional consequence of an innocent bit of > code. The > evil is our mechanic for determining versions. > > > -- > Stabbing you in the face for your own good. > >
Subject: Re: [rt.cpan.org #30789] Re: Version parsing confused by sub version {}
Date: Sat, 17 Nov 2007 19:08:01 -0800
To: bug-Module-Build [...] rt.cpan.org
From: Michael G Schwern <schwern [...] pobox.com>
Download (untitled) / with headers
text/plain 442b
Adam Kennedy via RT wrote: Show quoted text
> We execute arbitrary code, we thus must expect people setting their > $VERSION strings to not abuse that. > > Thus, evil.
Most folks have no idea how the $VERSION magic works. Show quoted text
> Believe me, I'd FAR prefer to just write a PPI-like routine that reads > $VERSION as a string and doesn't execute anything. > > But that is obviously not going to happen.
Why not? -- Stabbing you in the face for your own good.
Subject: Re: [rt.cpan.org #30789] Re: Version parsing confused by sub version {}
Date: Sun, 18 Nov 2007 16:35:31 +1000
To: bug-Module-Build [...] rt.cpan.org
From: "Adam Kennedy" <adamkennedybackup [...] gmail.com>
Download (untitled) / with headers
text/plain 823b
Most people want their shiny ways to set $VERSION? Believe me, if you want to start a crusade, I'm right there with you, I've been arguing for a "taint-safe version" metric in kwalitee for ages. Adam K On 18/11/2007, Michael G Schwern via RT <bug-Module-Build@rt.cpan.org> wrote: Show quoted text
> > > <URL: http://rt.cpan.org/Ticket/Display.html?id=30789 > > > Adam Kennedy via RT wrote:
> > We execute arbitrary code, we thus must expect people setting their > > $VERSION strings to not abuse that. > > > > Thus, evil.
> > Most folks have no idea how the $VERSION magic works. > >
> > Believe me, I'd FAR prefer to just write a PPI-like routine that reads > > $VERSION as a string and doesn't execute anything. > > > > But that is obviously not going to happen.
> > Why not? > > > -- > Stabbing you in the face for your own good. > >
Subject: Re: sub version {} pollutes 'eval' package
Download (untitled) / with headers
text/plain 360b
I thought I closed this already. (rt not playing nice?) Fixed in svn r10264 by incrementing the eval'd package each time. Yes, we'll eventually run out of integers on *really* big runs -- but not likely. For bonus points, delete the package after the eval. As for the discussion, please feel free to continue it on the Module::Build list. Thanks, Eric


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.