Bug#571623: "version: !perl/Module::Build::Version" results in broken Debian version
Ansgar Burchardt
ansgar at 43-1.org
Fri Feb 26 17:09:52 UTC 2010
Hi,
Jozef Kutej <jozef at kutej.net> writes:
> Damyan Ivanov wrote:
>> Shouldn't this be loaded by the module which parses META.yml? In
>> dh-make-perl's case this is the YAML module (I also tried with
>> YAML::Syck and YAML::XS).
>
> hmm that could be a security risk, if by loading yaml file some other
> module would be automatically loaded, or?
A YAML file can call constructors for all loaded modules? That would
seem rather strange to me and might open lots of security holes when
loading an untrusted YAML file (you cannot assume that all modules have
safe constructors).
Or did I understand something wrong?
Regards,
Ansgar
More information about the pkg-perl-maintainers
mailing list