user-pic

Oodler 577

  • About: Mayor of Falvortown
  • Commented on Addressing CPAN vulnerabilities related to checksums
    Not sure if it's still the case but at one point cpan (or "perl -MCPAN -e shell") presented all known mirrors in alphanumeric sort ordering, making it trivial to get an untrusted mirror ranked "high" and likely to be selected...
  • Commented on Vale, David
    I remember him from a YAPC. :( This is from a prayer card I got at my grandma's funeral that I keep in my wallet. Brings me peace to read sometimes, much more than just the standard internet, "F". ~~~...
  • Commented on The Quickest Way to Set Up HTTPS
    I like your style. Note, perlmonks LIMITS you to 8 char passwords; and last time I checked truncates them without telling you. So not surprised here, I don't expect any privacy only anyway - do you? :-)...
  • Commented on I made a calculator
    Packaging is something I need to figure out. There are some neat projects out there, but I haven't explored them at all. A couple I found for Windows that I have no idea if they're even good for this, are:...
  • Commented on I made a calculator
    Here you go, sir: https://github.com/oodler577/gui-doodles/blob/master/calculator/calculator.pl The subs in _ALLCAPS are handlers I defined in wxGlade, then modified. The GUI builder seemed to do a fine job of differentiating between my code and the generated code in subsequent save/code exports....
  • Commented on A dream resyntaxed
    Also, I mistyped in my original comment that I think might have lead to some effort on the RTs (sorry). I meant before not begin. Sorry about that, good info nonetheless....
  • Commented on A dream resyntaxed
    Thanks all, Matt; I only have experience with one codebase and I am pretty sure it was not done with a best practice in mind. Are there ways to create maintainable code? Yes. I have not experienced that, personally where...
  • Commented on A dream resyntaxed
    Moose and Moo fail in practice to create maintainable code because of the meta stuff. Maintaining this "in production" is an absolutely nightmare (e.g., this "begin" thing - next we're gonna see an "in" and "around". Stick to clearly and...
  • Posted I made a calculator to Oodler 577
  • Posted open invitation to participate in Perl-OpenMP on Github to Oodler 577
    I've had https://github.com/Perl-OpenMP up for a while, but I only recently thought to post an open invitation for others interested in this exploration topic to join. #openmp on irc.perl.org exists, semi-related…
  • Commented on My Favorite Warnings: <code>redefine</code>
    That's actually an interestging question - if you did this in a closure, does the subroutine if there are no longer any references to it get GC'd or do they remain somewhere in memory? You seem to be suggesting they...
  • Commented on My Favorite Warnings: <code>redefine</code>
    I use that closure idiom, particularly when mocking things when writing unit tests. It comes in handy....
  • Commented on A dream realized
    You're expending some hard won social credit on this endorsement of this latest attempt at POOP. For the sake of Perl, I hope you are hitching yourself to the correct attempt and not in some vain attempt to lend credit...
  • Posted Util::H2O ~ Iterative Refinement of Existing Perl Code to Oodler 577
    Util::H2O is an incredibly powerful tool for managing HASH references in a more natural way.
    This post is the first of several that will explore this awesome module. I've star…
Subscribe to feed Recent Actions from Oodler 577

  • Aristotle commented on Addressing CPAN vulnerabilities related to checksums

    Yes – if authors signed their distributions themselves, this would verify the origin of the bits all the way to the source, rather than just up to PAUSE, which would be a worthwhile increase in trust. The only problem is the usual web of trust question: if the point is not to have to trust PAUSE then you can’t source authors’ keys from PAUSE, so where do you get them?

  • Robert Rothenberg commented on Addressing CPAN vulnerabilities related to checksums

    PAUSE signatures means that you trust that this is what was uploaded to PAUSE. But it's possible that a malicious person stole an author's credentials to upload something.

    Author signatures means that you trust that the author has approved this code.

    There's always the possibility that a malicious person has stolen PAUSE credentials *and* an author's key-signing credentials. It's not foolproof.

    As an added safety, we could add a scheme for multiple signatures to be added. So another person can review code and submit their signature to PAUSE somehow.

  • Neil Bowers commented on Addressing CPAN vulnerabilities related to checksums

    Thanks Jim - now fixed.

  • Neil Bowers commented on Addressing CPAN vulnerabilities related to checksums
    If the mirror is trustworthy and so is the connection to it, does verification of the PAUSE-signed CHECKSUMS serve any remaining purpose?

    Marginal benefit, I'd say. It's an additional check that you're getting the expected file.

    I've heard anecdotally that the checksums once identified a case where an rsync had been interrupted and result in a truncated file.

  • nhorne commented on Addressing CPAN vulnerabilities related to checksums

    I have a local mirror which downloads from https://cpan.org, so it's trusted. I then mount the mirror using NFS, so the entry in MyConfig.pm for urllist starts with "file://foo/bar". Even though I know it's trusted I still get:

    Warning: checksum file '/mnt/CPAN/authors/id/G/GB/GBARR/CHECKSUMS' not conforming.

    The cksum does not contain the key 'cpan_path' for 'CPAN-DistnameInfo-0.12.tar.gz'.
    Proceed nonetheless? [no]

    How can I handle this scenario?

Subscribe to feed Responses to Comments from Oodler 577

About blogs.perl.org

blogs.perl.org is a common blogging platform for the Perl community. Written in Perl with a graphic design donated by Six Apart, Ltd.