LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 21:37 UTC (Fri) by kjp (subscriber, #39639)
Parent article: OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

>> pkg-config Marc Espie: Complete rewrite from scratch in an appropriate language, namely Perl. <<

Oh Lord. Not only is it 2007 and people are still using this baroque, programmer hostile language but the openbsd project? Jeez I thought they liked safe, readable code. Perl is the antithesis of this.

(Log in to post comments)

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 22:29 UTC (Fri) by arcticwolf (guest, #8341) [Link]

Quite the opposite - Perl is both safe and readable. It just separates the "the right tool for the right job" folks that care about getting stuff done from the narrow-minded anti-evangelists that like to bitch and moan whenever their trigger word is mentioned.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 23:21 UTC (Fri) by khim (subscriber, #9252) [Link]

Quite the opposite - Perl is both safe and readable.

Unfortunately not. It's not safe and it's not readable and the reason is simple: a lot of operations in Perl don't have well-defined semantics. That's why threaded Perl is not default even today (it breaks a lot of scripts and there are no easy way to fix semantic because it's a mess) and why hopeless Perl6 project exists.

It just separates the "the right tool for the right job" folks that care about getting stuff done from the narrow-minded anti-evangelists that like to bitch and moan whenever their trigger word is mentioned.

Heh. Despite everything written above it's true: Perl is very good for work with texts where security is not important - and that's exactly what the pkg-config is! It's used to compile sources and these sources are then run from root. If you compile source which can potentially misuse pkg-config to mess with your system... then you have much bigger problem then pkg-config's usage of Perl: unsafe package can easily mess with system directly - no need to involve pkg-config!

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 23:33 UTC (Fri) by drag (subscriber, #31333) [Link]

It's certainly safer then.. say.. C or C++ or PHP.

And the readability is up to programmer, not the programming language. The only language I know that forces some form of readability is Python becasue of it's usage of white space to replace common uses for brackets. Even then it's still very easy to make it fugly.

As far as threading goes.. That I suppose is a issue with Perl's currently antique-ness. It's a very old language in terms of high level languages that are being commonly used today. It hasn't had a major update in many years.

As far as threading goes it is inferior to forking on Unix-like systems for a wide veriety of reasons, except in (a minority of) cases were threading is a real nessicity. (I am thinking in general terms for things people use java/python/php/perl/ruby etc today. And Windows is completely different beast.)

Still though. Perl6 should be some very cool stuff.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 0:18 UTC (Sat) by tetromino (subscriber, #33846) [Link]

> It's not safe
$ perldoc Safe
> it's not readable
a matter of taste; I find it more as readable as C and Python, and vastly more readable than Javascript.
> a lot of operations in Perl don't have well-defined semantics.
No, you just haven't read the documentation or the Camel Book
> That's why threaded Perl is not default even today
Threaded perl not default because of *thread-unsafe external C libraries* many old Perl modules link to.
> there are no easy way to fix semantic because it's a mess
It's not perl's fault that C programmers don't know how to use pthreads properly.
> why hopeless Perl6 project exists
The perl6 project exists because perl5 is over 10 years old, and has some obvious deficiencies. The project appears "hopeless" because it is long on ambition, short on manpower, and because perl's traditional test-based development style is an inherently slow process (compared to many other projects' style of "release it when it compiles").

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 10:04 UTC (Sat) by khim (subscriber, #9252) [Link]

> It's not safe

$ perldoc Safe

Kind of ironic that two most dangerous languages in wide use (PHP and Perl) have "safe mode" - and in both cases it just makes life difficult for programmer but does not actually make the result safer ? In both cases "safe mode" only adds few checks and does not make the result of program more preductable.

> it's not readable

a matter of taste; I find it more as readable as C and Python, and vastly more readable than Javascript.

Not really. If you don't really know what the language construct actually does - it does not matter if there are good or bad things in language syntax: to really understand the program you need to dig deep in source of interpreter and/or scan test suite for sutable test. And even then it's usually just a guess. Sometimes you can correctly guess what the program does without doing it - but usually only for small scripts. Javascript has similar problem but it's not really the same: Javascript has well-defined syntax and semantic (unlike Perl), but when it finds something "bad" it tries to "fix it" and execute anyway (instead of signalling error) and yes, it's very annoying.

> a lot of operations in Perl don't have well-defined semantics.

No, you just haven't read the documentation or the Camel Book.

Me ? I've just scanned it few times. But actually I was not the guy who said that Perl is hopeless. There are other guy who did. His name is Larry Wall. Have you heard about him ? It was he who first said that Perl syntax is unmaintable and unfixable mess - it just coincided with my own observations (I was Perl maintainer for local Linux distribution at the time). BTW he quite literally said this - aloud, on conference, so I'm not sure it's easy to find records. But you can easily read narration here (scroll to "What's Wrong with Perl 5").

> That's why threaded Perl is not default even today

Threaded perl not default because of *thread-unsafe external C libraries* many old Perl modules link to.

Wrong. You can easily compile all C libraries with pthreads support and as long as you are not actually using threads - you will be Ok. But if you enable threads support in Perl - everything goes to hell. Threaded Perl breaks things even if you are not using threads and/or C extensions. The mere activation of threads support in Perl broke LaTeX2HTML last time I've checked - and that's pure Perl script, no external C extensions in sight. Today they "fixed" it by bolting on pseudothreads, but it's band-aid at best. Ithreads have separate interpreters for different threads - how it's different from fork+shared memory? It's not threads - it's travesty, C library was fixed by replacing one global variable (errno) with function, Perl apparently can not be fixed at all.

> there are no easy way to fix semantic because it's a mess

It's not perl's fault that C programmers don't know how to use pthreads properly.

What this has to do with anything ?

> why hopeless Perl6 project exists

The perl6 project exists because perl5 is over 10 years old, and has some obvious deficiencies.

Have you ever took an interest in the list of these deficiencies ? Number one is lack of well-defined semantics. And lack of well-defined semantics is definition of unsafe language! And no extensive test suite is not panacea: LaTeX2HTML was broken anyway even if all perl regression tests said everything should be Ok.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 15:44 UTC (Sat) by tetromino (subscriber, #33846) [Link]

> "safe mode" - and in both cases it just makes life difficult for programmer but does not actually make the result safer ? In both cases "safe mode" only adds few checks and does not make the result of program more preductable.

Clearly you are not thinking of the same Safe that I am thinking of. The whole point of perl's Safe is to restrict potentially unsafe perl code to a safe subset of the perl API. For instance, if you suspect that a perl script you downloaded might contain a trojan, you can just run it inside Safe to prevent it from accessing your filesystem and network. If it does try to access something it shouldn't, you get an exception, so you can confirm your suspicions. If that's not safety then we are not using the same dictionary.

> If you don't really know what the language construct actually does - it does not matter if there are good or bad things in language syntax: to really understand the program you need to dig deep in source of interpreter and/or scan test suite for sutable test. And even then it's usually just a guess.

I apologize, but what you are describing is called "lack of experience".

> Me ? I've just scanned it few times. But actually I was not the guy who said that Perl is hopeless. There are other guy who did. His name is Larry Wall. Have you heard about him ? It was he who first said that Perl syntax is unmaintable and unfixable mess - it just coincided with my own observations (I was Perl maintainer for local Linux distribution at the time). BTW he quite literally said this - aloud, on conference, so I'm not sure it's easy to find records. But you can easily read narration here (scroll to "What's Wrong with Perl 5").

Have you read the link? Larry Wall made the observations that:
1. perl5 the language lacks a formal written specification, there is only the source code and the test suite. Note that this situation is not unique to perl; ruby is in the exact same boat. This obviously makes it more difficult to make major changes to the perl5 interpreter but is completely orthogonal to whether perl's syntax is a mess or not.
2. perl5's syntax has some awk-like cruft that doesn't belong in a modern general-purpose language (namely, formats).
3. one of the fundamental features of the perl5 syntax - namely, that lists and hashes are prefixed with @ and %, but elements of a list or hash are prefixed with $ - is actually pretty silly; there is no good reason for it. It would make more sense to write @list[5] than $list[5], and that's how it will be done in perl6. However, if this one example makes you think that perl5 is a mess, then we have different definitions of "mess".
4. the way perl5 does tie, overload, and object-orientation is slow and inefficient.

> But if you enable threads support in Perl - everything goes to hell. Threaded Perl breaks things even if you are not using threads and/or C extensions. The mere activation of threads support in Perl broke LaTeX2HTML last time I've checked - and that's pure Perl script, no external C extensions in sight.

That doesn't sound right. For the past 3 years, I've always used perl with threading enabled, and latex2html (20041025 beta version) works fine for me. I've googled, and haven't found anything about latex2html thread problems. Do you have a link? I am interested to know how a pure perl script could possibly be affected by ithreads - to me it sounds impossible...

> Ithreads have separate interpreters for different threads - how it's different from fork+shared memory?

At the kernel level, there is no difference between threads and forked processes with shared memory. However, I am guessing you are trying to say that "ithreads are not very efficient" - which is indeed true. The ithread construct deliberately gives up efficiency for the sake of programmer convenience and backwards compatibility.

> And lack of well-defined semantics is definition of unsafe language!

No. Unsafe semantics are the definition of an unsafe language. For example, C has a formal specification, but its null-terminated strings have had a horrific impact on software security for the past 35 years.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 6, 2007 7:23 UTC (Sun) by jengelh (subscriber, #33263) [Link]

>3. one of the fundamental features of the perl5 syntax - namely, that lists and hashes are prefixed with @ and %, but elements of a list or hash are prefixed with $ - is actually pretty silly; there is no good reason for it. It would make more sense to write @list[5] than $list[5], and that's how it will be done in perl6. However, if this one example makes you think that perl5 is a mess, then we have different definitions of "mess".

Actually, one uses $list[5] *today*! Like the book or some manpage says, $ is the "singular" and @ is the "plural", as in

@list[5,6] = qw(foo bar);
print $list[5], "\n";

You /can/ use @list[5], but it does not make much sense.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 18:37 UTC (Sat) by niner (subscriber, #26151) [Link]

> But if you enable threads support in Perl - everything goes to hell. Threaded Perl breaks things even if you are not using threads and/or C extensions.

At least the SuSE distribution has shipped a theaded perl for years now without any problems. The distribution itself uses perl in many places, even in yast, so if threaded Perl were as bad as you describe, users would surely have noticed it by now.

ithreads may be far from the best implementation possible, but they are at least usable, which is more than I'm used to from other scripting languages. PHP does not even have multi threading support, python's is pretty much useless due to the global interpreter lock. If you want to actually use your multiple CPU cores with python, you have to use multiple processes.

Perl thread versus OpenBSD

Posted May 5, 2007 18:30 UTC (Sat) by smoogen (subscriber, #97) [Link]

The issue comes down to culture versus language. One can write wonderfully nice bash, perl, awk, sed scripts that are readable and maintainable. One can write obscured python, etc that never does what one expects it to. The issue is the culture surrounding the languages and the ease to which one can tend towards line-noise.

Perl had for the longest time a set of people who felt that if you couldnt output line-noise, you didn't use the language correctly (or weren't man enough to handle the true power of Perl.)

Python has had a set of people where line-noise is un-acceptable but have their own 'you arent a real man unless you have figured out... blah'.

In the end, each works for a segment of the population as human brains are not wired uniformally. And all the arguments, yelling, pooping contests, are territory marking to try and gather a larger segment of a population to get the various genetics involved to spread another generation or two.

Perl thread versus OpenBSD

Posted May 6, 2007 19:35 UTC (Sun) by bronson (subscriber, #4806) [Link]

pooping contests?

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 7, 2007 16:29 UTC (Mon) by kjp (subscriber, #39639) [Link]

If you think perl is a "right tool" for a job, you don't have access to many tools. I wasted over 4 years maintaining a web application written in perl and the new parts written in python are 10x easier.

Why perl sucks, and ALL of these are non issues in python:
* Auto vivification reading non existant values from a hash (and no warnings).
* can we say 'no concept of types other than string'? Yeah that's really safe.
* having to figure out my vs our vs local mess
* getting WRONG line numbers in errors when using print << to blocks
* designing a language with -w and use strict off by default
* people using &func() to bypass argument checks
* aforementioned argument checks braindead anyway due to no real type concept
* "exception" propogation with eval and $@ inelegant to say the least.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 22:40 UTC (Fri) by chromatic (guest, #26207) [Link]

Perhaps you meant s/Perl/C/g in your comment. C doesn't have taint mode, for one particular example.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 4, 2007 23:27 UTC (Fri) by khim (subscriber, #9252) [Link]

While C is not particularly "safe" language it's infinitely better then Perl: while it does have some dangerous constructs it's simple and limited language. Perl is not. You can rarely be 100% sure about what your Perl program actually does. You can have some guesses and in simple cases you'll be right most of the time, but in general - it's not actually possible. If that's not definition of "unsafe" language then I don't know what is.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 0:27 UTC (Sat) by tetromino (subscriber, #33846) [Link]

With all due respect, I suspect that the fact that you don't know why your perl code does what it does is a result of your lack of experience in using perl and lack of time to read the documentation.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 10:12 UTC (Sat) by khim (subscriber, #9252) [Link]

If I don't know what my code is doing - then I'm ill. May be bad memory, may be something else. The question is: can I understand what the code written by others is doing. If they wrote program without explicit goal of fooling me. Perl fails this test spectacularly: it's rarely easy to do unless the code is written by someone who's using very small "safe" subset of Perl.

I can easily do this with C or Python, I can do it with C++ or Haskell (not easy, but doable), but I can not do it with Perl - and neither can Larry Wall (see my comment above). And if not he, then who ?

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 18:05 UTC (Sat) by Richard_J_Neill (subscriber, #23093) [Link]

There are several issues here.

1)Can perl be obfuscated/hard to read? Yes. For example, this construct which I saw on slashdot as a signature.

perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print'

That's the origin of the "write-only code" or "programming in line-noise" jokes. But then, any language allows this.

2)Can perl be clearly written and understandable. Yes, of course - it depends on the style of the author. (It also helps to avoid some of the more obscure syntax).

3)Can you write a trojan in perl, which will fool casual inspection of the source. Yes. But you can do it in C, or bash too. Eg:

if ((a=b))... /* = vs == */

:(){ :|:& };: #Do NOT try this in bash, it will hang your system.

This has nothing to do with OpenBSD.

Posted May 5, 2007 18:22 UTC (Sat) by smoogen (subscriber, #97) [Link]

My only issue with write-only-code was that for a long time it was the preferred religion of many perl coders. Maybe it was job-security fears or the macho-ness that none of the other perl coders could figure out your hairy construct you came up with. This is not a language issue though.. it is a culture/religion issue and those are the ones that get people the most rankled... got to know who your buddies are and who you need to send the inquisition after...

Just fun

Posted May 5, 2007 18:45 UTC (Sat) by niner (subscriber, #26151) [Link]

I often try to solve some thing with as little lines of code or even characters as possible in Perl - and then throw this code away and replace it with a longer, maintainable version. It's just fun and nice practice, not unlike something mathematicians do.

To introduce such constructs into production code is irresponsible of course.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 6, 2007 7:55 UTC (Sun) by jengelh (subscriber, #33263) [Link]

>perl -e'$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print';

And for those stuck with such, try this:

perl -MO=Deparse -e '$_=q#: 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\2: 5/7\_/\7: 12m m::#;y#:#\n#;s#(\D)(\d+)#$1x$2#ge;print';
$_ = ': 13_2: 12/o{>: 8_4) (_4: 6/2^-2; 3;-2^\\2: 5/7\\_/\\7: 12m m::';
tr/:/\n/;
s/(\D)(\d+)/$1 x $2;/eg;
print $_;

It's so much easier to read, so why not use it should you stumble across such code.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:28 UTC (Tue) by nix (subscriber, #2304) [Link]

The shell won't like that: you open a ' quote and then close it in the middle of the block...

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:32 UTC (Tue) by jengelh (subscriber, #33263) [Link]

13:26 takeshi:~ > echo 'a''b''c'
abc

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:41 UTC (Tue) by nix (subscriber, #2304) [Link]

I don't see the relevance of that: there are no doubled quotes in the parent of your post. Everything from the third line onwards is *typed to the shell* because the ; on the previous line terminated the *shell's* command line, not perl's (you just closed the quote that would have protected the ; from the shell).

I don't think the shell likes

$_ = ...

as syntax very much.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 11:44 UTC (Tue) by jengelh (subscriber, #33263) [Link]

I thought you could figure out that the bold text is what you type, and the non-bold text is what you get. :-)

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 8, 2007 18:37 UTC (Tue) by nix (subscriber, #2304) [Link]

Oops, sorry, reading with links; no bold :) I see it with one of those
newfangled graphical browser thingies.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 10, 2007 10:28 UTC (Thu) by ekj (subscriber, #1524) [Link]

Any language *CAN* be obfuscated. However some obfuscate easier than others, and there are no other language where such a large set of coders took so obvious pride in unreadable gobbelydok. "Perl oneliner" anyone ?

It's more a question about culture than about the language as such really, allthough it *does* help the confusion and illegibility when you have a dozen or more "special" characters with various magical properties -- for added bonus, let their magical properties be dependent on context.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 7, 2007 15:14 UTC (Mon) by tjc (guest, #137) [Link]

... and lack of time to read the documentation.
I didn't find the documentation to be all that good. There's a lot of it, but that's not quite the same thing.

For example, porting an existing multi-file PHP application to perl is difficult, because multi-file applications are awkward and non-intuitive in Perl (nightmarish problems with variable scoping), and there's not much written about it.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 7, 2007 17:19 UTC (Mon) by niner (subscriber, #26151) [Link]

Yes, multi-file applications are a real horror in PHP. Always having to guess where an include file might be, where variables and functions are coming from and having fun getting your variables over-written because there is nothing like a name space concept...

But the horror really starts with the documentation. A bare minimum of explanation leaving out important details, wrong examples and promotion of bad coding style. And comments that gladly explain you how their hello world app works.

perldoc perlmod
perldoc perlsub
perldoc perltoot

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 9, 2007 15:54 UTC (Wed) by tjc (guest, #137) [Link]

... there is nothing like a name space concept...
It seems as though 545 other people share your concern:

http://new.petitiononline.com/mod_perl/signed.cgi?phpns

I think that if I were a serious PHP developer I'd probably sign up too.

1;

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 5, 2007 2:31 UTC (Sat) by chromatic (guest, #26207) [Link]

> You can rarely be 100% sure about what your Perl program actually does.

Actually, I'm often 100% sure about what my Perl programs actually do. I have a fairly good grasp of the language.

It's C and Haskell that give me trouble, often for very different reasons--respectively, spooky memory-clobbering action at a distance and spooky math concepts.

OpenBSD 4.1: Puffy Strikes Again (O'ReillyNet)

Posted May 6, 2007 19:08 UTC (Sun) by bronson (subscriber, #4806) [Link]

khim, are you seriously trying to claim that C is safer than Perl? Because that is, of course, demonstrably false.

And, no, that's not the definition of "unsafe" language. Unsafe languages tend to turn a tiny mistake by a programmer into a colossal security hole. While Perl suffers from many faults, this is certainly not one of them.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds