SpamAssassin not compatible with local::lib due to taint

[Ricardo Signes <sp...@rjbs.manxome.org>]

Today I wanted to do some tests with a more recent Mail::SpamAssassin than the
ancient one left over on my work workstation.  I did the very usual thing for
this kind of testing:

  $ eval `perl -Mlocal::lib=~/local/sa-3.3.2`
  $ cpanm Mail::SpamAssassin

If you're writing Perl and don't know about local::lib, you should learn.  It's
fantastically useful.  It's a very simple way to maintain alternate,
compartmentalized hunks of @INC/$PATH entries, and is wildly useful for
testing.  Here's the Perl Advent article on it from last year:
http://perladvent.org/2011/2011-12-01.html

Anyway, part of how it works is by setting up your environment for you,
including PERL5LIB.  More or less all of my non-core libraries are installed in
local::libs.  Even if they were not, that's where things were being installed
as prereqs for Mail-SpamAssassin.

Unfortunately, the test suite kept not finding them.  What the heck was going
on?  I was tearing my hair out until I realized that taint mode makes PERL5LIB
meaningless.  It gets entirely ignored.  The SpamAssassin tests do not use -T
in their shebang lines, but they often run external programs, and the SATest.pm
library defaults to adding -T to the perl invocation unless
$ENV{TEST_PERL_TAINT} is set to "no"

I dug this up with some grepping, set the env var, and set the tests running.
Things were passing!  Great!

...until it got to tests that ran spamd.  spamd has -T on its shebang line,
which means that when SATest tries to run it without -T, perl dies with:

  "-T" is on the #! line, it must also be used on the command line

So Mail-SpamAssassin can't, it seems, be tested without taint mode, which means
it can't be tested with PERL5LIB in effect, which means it can't work with
local::lib, which means I am sad.

Here are some options.  I can probably write a patch.

* make Makefile.PL decline to configure the dist if PERL5LIB is set
* remove the -T from the shebang line of spamd
* skip tests that need to run spamd if TEST_PERL_TAINT eq 'no'
* other

Thanks for the software!

-- 
rjbs

Re: SpamAssassin not compatible with local::lib due to taint

[Ricardo Signes <sp...@rjbs.manxome.org>]

* "Kevin A. McGrail" <KM...@PCCC.com> [2012-05-19T20:34:00]
> On 5/16/2012 4:30 PM, Ricardo Signes wrote:
> >Here are some options.  I can probably write a patch.
> >
> >* make Makefile.PL decline to configure the dist if PERL5LIB is set
> >* remove the -T from the shebang line of spamd
> >* skip tests that need to run spamd if TEST_PERL_TAINT eq 'no'
> >* other
> >
> >Thanks for the software!
> My thoughts are, by conjecture, I'm assuming the "ancient one" did
> work with local::lib?  What was that version and what option(s) did
> it use above that allowed it to work?

(I am quoting you slightly out of order below.)

It did not.  That version (v3.2.4) was installed before local::lib had gained
much popularity.  It was fun to go back and check, though, and to see all the
deprecation warnings it issues now on 5.16.0-RC2-ish. :)

> But it sounds like all you have to do is remove a single -T and you
> are good so I don't know that this is anything more than an extreme
> edge use that is best handled by your just editing the existing
> source for your needs, no?

My concern isn't so much dealing with what I need -- I've already dealt with
it.  It's with saving time for anybody else who encounters this in the future.

> Overall, though, we can likely look at a patch but this is a pretty
> specific request that isn't very core to the project. My concern is
> the ripple from your change to core needs.

If this use case seems very unlikely to re-occur, I think the simplest change
would be for me to add to Makefile.PL:

  die "Mail::SpamAssassin is not compatible with environments using PERL5LIB"
    if length $ENV{PERL5LIB};

(or if length $ENV{PERL_LOCAL_LIB_ROOT})

The problem, of course, is that there isn't actually a problem if all of the
dist's prereqs are already installed in perl's built-in @INC, and PERL5LIB is
not needed.  The next step, then, would be to tweak Makefile.PL to add a sub
somewhere to My:: to make the fatal error occur only if there are unmet
prereqs if there's a PERL_LOCAL_LIB_ROOT.  In this condition, the CPAN
installer being used will end up installing things to PERL5LIB, where they will
not be findable, so the tests aren't going to find the libraries even if they
get installed.

I think such a patch would only be a few lines.  I'll have a go at it this
week, once some other pressing code has shipped.

-- 
rjbs

Re: SpamAssassin not compatible with local::lib due to taint

["Kevin A. McGrail" <KM...@PCCC.com>]

On 5/16/2012 4:30 PM, Ricardo Signes wrote:
> Today I wanted to do some tests with a more recent Mail::SpamAssassin than the
> ancient one left over on my work workstation.  I did the very usual thing for
> this kind of testing:
>
>
> Here are some options.  I can probably write a patch.
>
> * make Makefile.PL decline to configure the dist if PERL5LIB is set
> * remove the -T from the shebang line of spamd
> * skip tests that need to run spamd if TEST_PERL_TAINT eq 'no'
> * other
>
> Thanks for the software!
My thoughts are, by conjecture, I'm assuming the "ancient one" did work 
with local::lib?  What was that version and what option(s) did it use 
above that allowed it to work?

Overall, though, we can likely look at a patch but this is a pretty 
specific request that isn't very core to the project. My concern is the 
ripple from your change to core needs.

But it sounds like all you have to do is remove a single -T and you are 
good so I don't know that this is anything more than an extreme edge use 
that is best handled by your just editing the existing source for your 
needs, no?

Regards,
KAM