Formal Request - Discourage Taint

From: Chase Whitener

Date: September 13, 2019 15:40

Subject: Formal Request - Discourage Taint

Message ID: CALoNeLs7DY75D+gWDg2RAG4GE+j0zutsk=Dp25dT8NTozsr-ww@mail.gmail.com

September 13, 2019 15:40Formal Request - Discourage Taint

Taint mode was created a long time ago to help ensure safety with suidperl -it was designed to avoid dirty data messing up system calls. We've long since realized suidperl was a bad idea, yet we have kept Taint mode around under the pretense that it makes our code safe; it's time to let that go. It did do one thing of note; it removed dot from @INC. Having @INC cleaned of dot caused a lot of work to happen to ensure things continued to function/install. That work has already been done at this point and removing Taint wouldn't add to the heartache anymore. It's nearly everywhere in the Perl code base and in lots of places on CPAN, slowing things down and creating bugs that otherwise wouldn't exist. For example, File::Spec is broken on Windows when used with Taint mode on. It's broken because Taint mode restricts use of environment variables (which doesn't protect anything). There's no good way to fix that. An example: https://rt.cpan.org/Ticket/Display.html?id=129791#txn-1863529 Rather than re-stating everything that's been discussed already on the matter, I'll point you to a good summation on reddit here: https://www.reddit.com/r/perl6/comments/718z4o/taint_mode_for_perl_6/dnmu83i/ Also, as was pointed out on IRC, we can simplify the Perl code by removing all of this confusion and getting rid of some of the absurdity such as the fact that there are two flags: SILENT_NO_TAINT_SUPPORT makes -T silently not do anything NO_TAINT_SUPPORT makes it an error In short, it's a placebo for safety that causes more problems than it ever even claimed to solve. Officially discouraging it makes sense. I see such discouragement coming in the form of: 1. Updating documentation to claim it discouraged. 2. Requiring user opt-in via build flags to build with Taint mode. The default build should be NO_TAINT_SUPPORT. My perfect world scenario would see both existing build flags done away with and a positive one (WITH_TAINT_SUPPORT maybe) that defaults to a falsey value being added. Either way, force users to choose to turn on Taint mode, keeping with the official discouragement stance. Thanks, Chase



