use Perl

Dear lazyweb...

This must be a solved problem. One has a version control system, and one has a tarball of perl, and tarballs of a bunch of known versions of modules that one has downloaded from CPAN, which makes one decoupled from any subsequent changes or deletions on CPAN. What one wants to do is build perl, and then build all those module versions, from the local snapshotted versions.

So what's the best way to do this? The naïve, brute force, way is to build perl, and then loop round all the tarballs in order, extracting them, running Makefile.PL, ignore there whining about missing dependencies (as we're going to get to them), run make install, and hope - ie skipping all tests. However, this is also getting trapped by Makefile.PLs that decide that they want to ask questions, or things that really wanted Module::Build, etc.

What would be really nice would be to do it in the dependency order that the cpan shell would work out, but the danger of just using it is that it goes off and tries (helpfully) to download things that it can't find, which is not what is wanted. (If we goof, and fails to have a suitable version of the module, it's a fail)

So what's the best tool for this job?

nicholas writes "

"The language is still changing, there is no spec for the language, there are going to be differences between implementations that are essentially undefined behavior."

The Register has an article about Ruby.NET with a lot of quotes from the project manager, John Lam, such as the one above. However, the spec is not something they can do anything about, so they have no choice. But one that caught my eye was one they do have some choice over:

Some familiar features will not be implemented, however. "Call with current continuation, we're not implementing that. [Although] JRuby isn't either. ...

It makes me ask myself a couple of questions, but not being familiar with Ruby or .NET, I don't know the answer to either. Does my usually silent readership know:

• How often is call with current continuation used in typical Ruby programs? Would its absence be noted frequently?
• Why do both the .NET and Java VM implementations of Ruby choose to omit it? Are continuations something stonkingly hard to make work well on their VMs? Would such a problem constrain any attempts to make Perl 6 run nicely on the VMs?

"

Today Tom "Spot" Callaway of RedHat mailed perl5-porters to say:

Today, perl 5.10.0 went into Fedora rawhide, which will become Fedora 9.

A few additional changes were committed with this release:

• Fedora is now tracking all of its patches in patchlevel.h
• The sitedir and sitearch directories are now located under /usr/local, to make it very clear that files installed by CPAN did not come from Fedora packages (they still work fine).

We got a tremendous amount of help from the perl 5 porters community, especially Andy Armstrong, Nicholas Clark, and Rafael Garcia-Suarez. Without your help, we would not have been able to meet the Fedora deadline.

The Fedora 9 beta release is scheduled for March 20, and the final F-9 release is scheduled for April 29, 2008.

Thanks again for all of your help,

~spot

Cool. So all the swearing at Math::Pari and staying up past midnight on Saturday was worth it. However, I note that there is some irony that of the three people named for their help, none actually use Fedora.

On the first morning of the 10th German Perl Workshop Max did a tutorial on Advanced Perl during which someone asked about the difference between our and use vars. Max didn't know the answer offhand (and being smart, doesn't need to pretend to be by pretending to know the answer), and I had to scratch my head a bit when Jürgen told me about it (I'd been in the other tutorial), so Jürgen asked if I could do a lightning talk to explain it. I said yes (which seemed to be consistent with a question at breakfast - Jonathan asked "are you speaking this year?" and I replied "not yet").

However, today it turned out that it is a good thing that I am a virtuously lazy programmer and hadn't written any slides, as Steffen Ullrich did an excellent talk on Perl Gotchas which had an example of code which explained it much better than I could. Specifically, consider the following:

!/usr/bin/perl -w

use strict;

package awk;

# ...

package urkk;
our @ISA = 'awk';

# ...

package rakkk;
our @ISA = 'urkk';

# ...

package owww;
@ISA = 'rakkk';

# ...

1;

All nicely strict clean:

$ perl -Mawk -e0

but nevertheless buggy. Why? Because the inheritance isn't set up correctly:

$ perl -Mawk -wle 'print @owww::ISA'

$ perl -Mawk -le 'print @rakkk::ISA'
rakkk
$

Erk! How did that happen? It's because the our was missed from the last assignment. It should read:

package owww; our @ISA = 'rakkk';

But without that our, that last assignment is still to the variable @rakkk::ISA , not @owww::ISA, because our actually creates a lexical alias to the global variable, a lexical that is still in scope for the rest of the file.

Whoops! Gotcha!

The timetable for the 2008 German Perl Workshop is now up. I'm going. Are you?

Perl 5 Porters have released a fix to the regexp engine, which Google researchers recently discovered had a buffer overflow when compiling very specific patterns. Note that the pattern is the risk, not the data it matches.

All Perl users should consider updating their Perl installation to address CVE-2007-5116:

• For Perl 5.8.8
  ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/regexp-5.8.8.patch
• For Perl 5.8.7, 5.8.6 and 5.8.5 ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/regexp-5.8.7.patch
• For Perl 5.8.4 ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/regexp-5.8.4.patch
• For Perl 5.8.3, 5.8.2 and 5.8.1 ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/regexp-5.8.3.patch
• For Perl 5.8.0 ftp://ftp.cpan.org/pub/CPAN/authors/id/N/NW/NWCLARK/regexp-5.8.0.patch

Specifically, the bug is that if you have a pattern which in itself uses no Unicode characters, but matches Unicode characters (for example \x{} escapes) then at compile time the regexp engine will allocate memory assuming an 8 bit representation on the first pass. However, if the pattern also has 8 bit characters, then when the Unicode characters are compiled (on the second pass) any existing 8 bit characters will be converted to UTF-8 representation, which is likely to be a buffer overflow. Matches will also fail.

Given that it's been present since 5.8.0 (July 2002) and the bug itself (but not the security implication) wasn't reported until early this year*, it is unlikely to crop up in the wild.

Redhat's announcement is https://rhn.redhat.com/errata/RHSA-2007-0966.html which I find unclear in its wording:

Specially crafted input to a regular expression can cause Perl to improperly allocate memory, possibly resulting in arbitrary code running with the permissions of the user running Perl.

The "input" is the pattern, not the matched string. So it's not going to be an issue at all, unless your programmers are foolish enough to allow untrusted user input to be interpolated into regular expressions. If so, you were already open to denial of service attacks from patterns that bust the C stack (fixed in 5.10) or take until the heat death of the universe to complete (inherently unfixable in a general purpose programming language).

The CVE announcement is http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5116 It's terse, and has the same ambiguity:

Buffer overflow in the polymorphic opcode support in the Regular Expression Engine (regcomp.c) in Perl 5.8 allows context-dependent attackers to execute arbitrary code by switching from byte to Unicode (UTF) characters in a regular expression.

Yes, conceivably you can now inject arbitrary code. But if you did, you program (not perl) was badly written, and already had the ability to be crashed or hung.

The timing of this announcement is not ideal. Security researches at Google discovered the buffer overflow in the regexp engine compiler. As best I can tell, they reported it to Linux vendors, who forwarded it to one Perl 5 committer, who forwarded it on to the rest. There was some discussion about the patch that needed backporting from 5.10 (where it was already fixed) to 5.8, and then that was the last we heard.

The next "contact" we had was discovering that the Linux vendors had made public security announcements, without even notifying us, let alone discussing a timescale. I consider this outcome neither professional nor courteous, but hope that it was caused by an unfortunate series of events that won't re-occur.

To help avoid such a repeat, we've set up a contact address, perl5-security-report@perl.org solely for reporting any similar core security bugs.

Currently it points to a unarchived mailing list with the same name (perl5-security-report@perl.org), using the regular perl.org list manager and sign-up address conventions. We'd welcome anyone competent to request to subscribe. It's likely not to be high traffic — right now we seem to average 1 security issue every 2 years, but we'd really like more people on it so that there's a good chance that at least one of the subscribers will have the time to respond to any initial report within 24 hours, at least to say roughly:

"thanks for the report. I can confirm that this is a bug. We're looking into how to resolve it, and we'll get back to you"

* The bug was first found against 5.10-to-be, not 5.8.x, by Jeurd, while at the German Perl Workshop, when trying to write a program to convert BNF grammars to 5.10 regexps. You have to push the engine pretty far to get to it.