Re: [Andreas J Koenig] Re: Trojan horses in Makefile.PLs
dom...@4pro.net
About the possible security risk in the Makefile.PL in my distributions, I
proposed a change into the makefiles and post it in Perl Monks. (
http://www.perlmonks.org/index.pl?node_id=350119 )
After receiving some positive reply, (
http://www.perlmonks.org/index.pl?node_id=350129 ) I changed and uploaded
everything this morning, and I deleted all the old distribution. I did it
even before you sent me your message, and before you take the action on
PAUSE indexing, so I have been faster than you :-).
For this reason, PAUSE already contains the new files, so, please could
you just restore the index without having to re-upload the same files with
another name?
I am very sorry to have underestimate the possible security risk in my own
code, anyway I fixed it quickly.
About my unpublished email address.... I was receiving over 500 spam per
day, so I just try to avoid publishing my e-mail address... anyway you
reached me to my secret address ;-)
Please, let me know,
Thank you
Domizio Demichelis
Brian D Foy
> I am very sorry to have underestimate the possible security risk in my own
> code, anyway I fixed it quickly.
Domizio,
thanks for the quick action. i figured you weren't trying to do anything
malicious. someone will fix-up your latest uploads if they don't appear
in the listings. If you have a problem after a couple of days, write to
mod...@perl.org to remind us.
thanks again,
--
brian d foy <com...@panix.com>
Graham Barr
On 4 May 2004, at 20:05, <dom...@4pro.net> wrote:
> Hi all,
> About the possible security risk in the Makefile.PL in my
> distributions, I
> proposed a change into the makefiles and post it in Perl Monks. (
> http://www.perlmonks.org/index.pl?node_id=350119 )
>
> After receiving some positive reply, (
> http://www.perlmonks.org/index.pl?node_id=350129 ) I changed and
> uploaded
> everything this morning, and I deleted all the old distribution. I did
> it
> even before you sent me your message, and before you take the action on
> PAUSE indexing, so I have been faster than you :-).
I have re-indexed them on search. However I must agree with a comment
on that second page
Although I still think that asking before making a network connection
that the user
didn't ask for is the only polite thing to do.
making a connection without first asking, which your code still does,
is not polite
and many will see that alone as an issue.
Graham.
Andreas J Koenig
> For this reason, PAUSE already contains the new files, so, please could
> you just restore the index without having to re-upload the same files with
> another name?
Done. Thanks for the quick fix.
> I am very sorry to have underestimate the possible security risk in my own
> code, anyway I fixed it quickly.
> About my unpublished email address.... I was receiving over 500 spam per
> day, so I just try to avoid publishing my e-mail address... anyway you
> reached me to my secret address ;-)
Spamassassin is your friend.
And I agree with Graham, that "calling home" without asking the user,
is problematic.
Thanks again & Regards,
--
andreas
dom...@4pro.net
> is problematic.
So, since for other people a prompt during the install is problematic as
well, and since for me is problematic to not even know that someone is
installing my modules, I decided to put a clear note in the "INSTALLATION"
POD section which will inform the users about that checking version
process.
I hope that everybody could be happy with this solution.
Domizio
Randal L. Schwartz
Domizio> So, since for other people a prompt during the install is
Domizio> problematic as well, and since for me is problematic to not
Domizio> even know that someone is installing my modules, I decided to
Domizio> put a clear note in the "INSTALLATION" POD section which will
Domizio> inform the users about that checking version process.
That's not sufficient for me. I never read "INSTALLATION" if CPAN.pm's
"install" command works.
No, the default should be "don't phone home", although you can
put a note that prints from Makefile.PL to say:
If you'd like to verify that you have the latest version,
please run "perl Makefile.PL check_version=1" instead.
and enable your check when the appropriate variable is found.
--
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<mer...@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
Jarkko Hietaniemi
>>>>>>"Domizio" == <dom...@4pro.net> writes:
>
>
> Domizio> So, since for other people a prompt during the install is
> Domizio> problematic as well, and since for me is problematic to not
> Domizio> even know that someone is installing my modules, I decided to
> Domizio> put a clear note in the "INSTALLATION" POD section which will
> Domizio> inform the users about that checking version process.
>
> That's not sufficient for me. I never read "INSTALLATION" if CPAN.pm's
> "install" command works.
>
> No, the default should be "don't phone home", although you can
> put a note that prints from Makefile.PL to say:
>
> If you'd like to verify that you have the latest version,
> please run "perl Makefile.PL check_version=1" instead.
>
> and enable your check when the appropriate variable is found.
I agree. A module initiating network connections without my explicit
approval is a naughty module.
--
Jarkko Hietaniemi <j...@iki.fi> http://www.iki.fi/jhi/ "There is this special
biologist word we use for 'stable'. It is 'dead'." -- Jack Cohen
Tim Bunce
> Randal L. Schwartz wrote:
>
> >>>>>>"Domizio" == <dom...@4pro.net> writes:
> >
> >
> > Domizio> So, since for other people a prompt during the install is
> > Domizio> problematic as well, and since for me is problematic to not
> > Domizio> even know that someone is installing my modules, I decided to
> > Domizio> put a clear note in the "INSTALLATION" POD section which will
> > Domizio> inform the users about that checking version process.
> >
> > That's not sufficient for me. I never read "INSTALLATION" if CPAN.pm's
> > "install" command works.
> >
> > No, the default should be "don't phone home", although you can
> > put a note that prints from Makefile.PL to say:
> >
> > If you'd like to verify that you have the latest version,
> > please run "perl Makefile.PL check_version=1" instead.
> >
> > and enable your check when the appropriate variable is found.
>
> I agree. A module initiating network connections without my explicit
> approval is a naughty module.
I agree as well. Though I'm interested in why Domizio says "for me is
problematic to not even know that someone is installing my modules".
I'd certainly *like* to know who's installing the DBI module, for
example, and I'm sure other authors would be interested for their modules.
But I would think it rude to have the software automatically report
information to me. Not to mention being an invasion of privacy.
Perhaps some standard mechanism could be built into perl module
installers that could be optionally enabled by users who are
willing to share that information.
Tim.
Jarkko Hietaniemi
> problematic to not even know that someone is installing my modules".
>
> I'd certainly *like* to know who's installing the DBI module, for
> example, and I'm sure other authors would be interested for their modules.
Yes, something like this is often requested. People ask for download
statistics of CPAN for their modules, for example.
> But I would think it rude to have the software automatically report
> information to me. Not to mention being an invasion of privacy.
And depending on how the registering attempt is made, potentially a
security alert in the corporate firewall...
> Perhaps some standard mechanism could be built into perl module
> installers that could be optionally enabled by users who are
> willing to share that information.
Email, HTTP, hmmm?
ITUB
> installers that could be optionally enabled by users who are
> willing to share that information.
There's a thread on this topic at http://perlmonks.org/index.pl?node_id=350484 .
dom...@4pro.net
> problematic to not even know that someone is installing my modules".
I think that nobody would like to do something that is potentially useless
or isn't wort the effort. As I already said, writing in english the
documentation of my distributions takes me a really great amount of time,
thus knowing that the product of my efforts are useful to (many?) people,
is probably my strongest motivation/help to do it.
It's understandable that people tend to avoid registrations subscriptions
and ratings, and sending messages to the author is not their priority
unless they encounter some problem with your module, so unless your
documentation is poor or your modules have bugs, you will not receive a
feedback consistent with the real usefulness you are providing to the
community. :-)
Besides, ratings are a nice but they are not used too much and they don't
give a consistent feedback.
I think CPAN should provide a better feedback to the authors, so they
could see how much *interest* their distribution really have.
This lack of feedback from CPAN made me add my own personal statistics at
least to my own distributions. Beside I wanted to implement my personal
CVS, and the most versatile solution I found was to add some code
execution throug an eval of downloaded code, thus allowing me to centrally
update all my distribution installer when and if I need to change
something, without to have to release a new version of each distribution.
I agree that executing code that comes from the network does represent a
security risk, I'm very sorry to have underestimate the possible risk to
have the code hijacked or my own server owed, and for this reason I have
imediately taken action patching all with safe code. Anyway the CPAN
installation itself has probably the same problems of hijacking and
exploit of any other connection, but after the patch that is not my
responsability any more :-).
You know, different people with different cultures will have different
feelings about the same matter, for example I didn't even think that
anyone could feel "calling home without explicit permission of the user"
as something *not polite* before this thread started, so since I don't
want to do anything on the back of anyone, I proposed to add a clear
explanation in the doc.
But I read even something about "privacy violation", and this really
confuse me.
Who of you has never send any cookie to the client "without explicit
permission of the user"? But I want to make it simpler: when you just
*log* the user that uses your site, are you doing any privacy violation?
Isn't it your right (and pleasure) to know who (IP) are using your site,
how much time it dedicates to a page or another, if it is coming from
Europe, USA or China?
I think that it's exactly the same concept here: an installer that sends
just name and version of the distibution and version of perl, IMHO is not
violating any privacy at all! The Makefile.PL is not sending neither any
private information, nor any file structure, nor any data that is property
of the user! It's just sending data coming from your own work! Why don't
include in the CPAN installation process something like what my own
Makefile.PL are doing right now just for me, and make it available through
CPAN to all the authors? Then each author could see its own statistics and
be very happy and productive and the perl community will take advantage
from that.
May be this is not your case, but believe me, if you can see a log of
download this stimulates you to be more productive; if you see you have
just a few downloads you start to worry about what you could improve to
interest people even if the download statistic doesn't mean that the
module is worth the download.
I say this just because it happens to me. I was worried about the fact
that I was receiving very few feedbacks about Template::Magic, and then I
introduced my own feedback code: it's 6 months now, and in these 6 months
I dedicating a really huge amount of time writing documentation in english
for many distribution (not all published yet) which I would never did
without looking to my logs daily!
And let me propose another idea: CPAN should provide public and free
available statistics about the most searched keyword. That would be
another very useful tool, that other services are providing for the mayor
search engines. This would provide an useful feedback that could also give
an orientation to the authors, giving them the knowledge about what is
most needed/appreciated by the community and what not.
And about privacy defaults: an user that doesn't want to make you know
even its IP uses different means *on its own side*. You can have another
example of this concept again with cookies: if someone feels that a simple
cookie on its own HD is an invasion of privacy, he can set *its* browser
properties to avoid it, but the default is "cookies ON". This is just
because the statistics provided by a cookie or by a simple log are used in
the interest of the user to improve the service, to suggest new features,
and so on, and users would not provide that *explicitly* just because it
is annoying.
For this reason I am very sad to disagree with my favourite guru Randal:
IMHO default should be ON, then - if the user has anything against the
fact that the author likes to know just that someone is installing his
distribution - it should be the user who explicitly do something *on his
side* to avoid it.
Obviously the author should allow the user to somehow skip sending that
simple info, but it should be up to the user finding the provided way in
the documentation (hardly written by the author specially for the user
advantage).
I have maximum respect of other people privacy and opinions, so please let
me know if a note in the doc and default OFF (i.e. you have to use
something like 'perl Makefile.PL DONT_CHECK_VERSION=1' to avoid any
connection) is somehow uncompatible with CPAN, because in that case I
would have the following options:
1. putting on CPAN just the PODs to give the user the information he needs
to decide if the module is useful or not, but letting the users download
the source only from my own site, thus having the possibility to log at
least the downloads of my own distributions. In this case, no connection
will be made during the installation.
2. putting a condition in the copyright that subordinates the use of the
modules to a simple connection (even without any explicit registration)
made through the installation process. This might include an annoying
prompt that I'd like to avoid after receiving a lot of complaint.
3. your very appreciated alternative suggestions
Regards
Domizio Demichelis