On Fri, Apr 01, 2016 at 11:21:45PM +0100, Dominic Hargreaves wrote: > On Mon, Mar 12, 2012 at 09:49:59PM +0200, Niko Tyni wrote: > > Just a note that this topic has resurfaced upstream; the thread starts at > > > > http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2012-03/msg00265.html > > And again, this time with a patch: > > https://rt.perl.org/Public/Bug/Display.html?id=127810
Thanks for the note. For reference, the patch adds a new Configure option (-Dfortify_inc) that removes cwd from @INC unless a special environment variable is set at runtime. > I think that we would want to apply this as soon as practical (assuming > it gets merged to blead) but I'm not sure if that extends as far as > us patching 5.24 in Debian. An experimental rebuild would be worthwhile, > at least. The patch itself should be harmless (assuming it really is only limited to -Dfortify_inc), but I doubt we can activate the option soon. Staging things for a test rebuild will certainly be necessary first, and testing early would probably give useful information for the upstream ticket. Our rebuilds cover a different set of software from the upstream CPAN smoking process. Overall, this is still in the upstream development stage, and test rebuilds to help that could be done with a locally patched perl package. I don't see much need or use for uploading the patch to Debian at this point, as I suspect this is realistically stretch+1 material. I note that removing '.' from @INC by default will certainly break local (non-packaged) Perl programs for some users. This change will need prominent documentation and is still likely to result in some frustration, although it's certainly for the greater good. -- Niko Tyni nt...@debian.org
