frioux / DBIx-Class-Helpers

https://metacpan.org/pod/DBIx::Class::Helpers
20 stars 38 forks source link

Problem installing on debian Stretch #81

Closed carragom closed 7 years ago

carragom commented 7 years ago

Hi there,

Currently there is a problem installing DBIx-Class-Helpers in Debian Stretch and possibly on most modern perl version. There is a dependency down the tree that won't install. DBIx-Class-Helpers depends on DBIx-Class-Candy which in turn depends on String-CamelCase. String-CamelCase has this issue open which seems to be the effect of some new feature for hardening perl against CVE-2016-1238. As explained here there is a workaround export PERL_USE_UNSAFE_INC=1 but I'm guessing this will hit users more and more as they upgrade. This is not an issue of DBIx-Class-Helpers itself, but I wanted to report it here just in case since it does render the package uninstallable from CPAN on recent perl versions.

Thanks for your time.

frioux commented 7 years ago

I'll do what I can, but you are hugely overstating this issue. The "modern perl" version you are referring to isn't even released yet. Unless something unusual is happening, the next perl will be released in 4ish months. That Debian stretch users are willing to use a development version of Perl arguably implies that they get what one would obviously expect: lots of instability.

-- Sent from a telephone. Pardon my brevity.

On Feb 10, 2017 8:03 PM, "Carlos Ramos" notifications@github.com wrote:

Hi there,

Currently there is a problem installing DBIx-Class-Helpers in Debian Stretch and possibly on most modern perl version. There is a dependency down the tree that won't install. DBIx-Class-Helpers depends on DBIx-Class-Candy which in turn depends on String-CamelCase. String-CamelCase has this https://rt.cpan.org/Public/Bug/Display.html?id=120079 issue open which seems to be the effect of some new feature for hardening perl against CVE-2016-1238 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1238. As explained here http://blogs.perl.org/users/todd_rinaldo/2016/11/how-removing-from-inc-is-about-to-break-cpan.html there is a workaround export PERL_USE_UNSAFE_INC=1 but I'm guessing this will hit users more and more as they upgrade. This is not an issue of DBIx-Class-Helpers itself, but I wanted to report it here just in case since it does render the package uninstallable from CPAN on recent perl versions.

Thanks for your time.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/frioux/DBIx-Class-Helpers/issues/81, or mute the thread https://github.com/notifications/unsubscribe-auth/AAAf46Fhon6URnQphc3rOXr-QCjK4lc8ks5rbTMBgaJpZM4L-EXT .

carragom commented 7 years ago

Hi @frioux,

First, thanks a lot for your time and effort. I'm really sorry if I freaked out. In my defense, I do have some excuse for it. According to the CVE, versions >=5.22.3 and >=5.24.1 are affected by this and they were released about a month ago according to cpan. Also been a security issue, this might get back-ported to previous versions of Perl by the respective security teams. But again, thanks a lot for getting involved in something that is not directly related to your package.

Cheers.

frioux commented 7 years ago

For anyone interested, I emailed the author of String::CamelCase directly and got no response. I think I'm just going to stop depending on it as it's broken my dist twice now.

frioux commented 7 years ago

Resolved with 2.033003