Stop shipping world writeable files in our tarball

The chain of failures would go as follows: when we prepare the tarball
we briefly copy all generated POD to our root dir so that the
manifest/distdir_copy process can pick it up. Then before the distdir is
ready we run a cleanup using ExtUtils::Install::uninstall. However
everything in the ditdir is hardlinked to our root dir, including the
files we "uninstall". EU::I::uninstall has a weird dance deep in its
source[1] where it explicitly does chmod(0666) on the file it is about
to delete (why?!). Thus we end up with world-writables in our distdir,
since the hardlinked inode still retains the result of that last chmod.

Switch to a manual cleanup, and leave EU::I alone.

[1] https://metacpan.org/source/YVES/ExtUtils-Install-1.54/lib/ExtUtils/Install.pm#L274

diff --git a/Changes b/Changes
index 5b1d6ea..e134e9e 100644 (file)
--- a/Changes
+++ b/Changes
@@ -5,6 +5,10 @@ Revision history for DBIx::Class
           aggregate function is used more than once in a 'having' clause
           (RT#83305)
 
+    * Misc
+        - Fixup our distbuilding process to stop creating world-writable
+          tarball contents (implicitly fixes RT#83084)
+
 0.08206 2013-02-08
     * Fixes
         - Fix dbh_do() failing to properly reconnect (regression in 0.08205)

diff --git a/maint/Makefile.PL.inc/53_autogen_pod.pl b/maint/Makefile.PL.inc/53_autogen_pod.pl
index 4efe837..ec6c1a1 100644 (file)
--- a/maint/Makefile.PL.inc/53_autogen_pod.pl
+++ b/maint/Makefile.PL.inc/53_autogen_pod.pl
@@ -133,9 +133,8 @@ EOP
 clonedir_cleanup_generated_files : dbic_clonedir_cleanup_generated_pod_copies
 
 dbic_clonedir_cleanup_generated_pod_copies :
-\t@{[
-  $mm_proto->oneliner("uninstall(q($pod_dir.packlist))", ['-MExtUtils::Install'])
-]}
+\t@{[ $mm_proto->oneliner('chomp && unlink || die', ['-n']) ]} $pod_dir.packlist
+\t\$(RM_F) $pod_dir.packlist
 
 EOP
 }