Mailing List Archive

RFC: Removing CGI.pm from the core distribution
I think it's time to seriously consider removing CGI.pm from the core
distribution. It is no longer what I'd point *anyone* at for writing *any*
sort of web code. It is in the core, as far as I know, because once it was the
state of the art, and a major reason for many people to use the language. I
don't think either is true now. Finally, if you need CGI, it's easy to install
after installing perl, just like everything else we've dropped from the core
distribution.

In the past two years, all my interactions with CGI.pm have been to fix bugs or
send pull requests to quiet it from making noise in the core. I expect others
here have had the same experience.

Are there any arguments out there to compel me to feel otherwise about this?

--
rjbs
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Thu, May 23, 2013 at 7:50 PM, Ricardo Signes
<perl.p5p@rjbs.manxome.org> wrote:
> I think it's time to seriously consider removing CGI.pm from the core

+1

--
David Golden <xdg@xdg.me>
Take back your inbox! → http://www.bunchmail.com/
Twitter/IRC: @xdg
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
> I think it's time to seriously consider removing CGI.pm from the core
> distribution.  


+1

Mark
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On 5/23/13 7:50 PM, Ricardo Signes wrote:
>
> I think it's time to seriously consider removing CGI.pm from the core
> distribution.

+1 ... but at the same time, I special shout-out to Lincoln Stein for
this historically important technology!
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, May 24, 2013 at 1:50 AM, Ricardo Signes
<perl.p5p@rjbs.manxome.org> wrote:
> I think it's time to seriously consider removing CGI.pm from the core
> distribution. It is no longer what I'd point *anyone* at for writing *any*
> sort of web code. It is in the core, as far as I know, because once it was the
> state of the art, and a major reason for many people to use the language.

AFAIK, it's in core because perl 4 shipped with all then-known
libraries and CPAN wasn't founded until a year after perl 5 came out
:-|

> I
> don't think either is true now. Finally, if you need CGI, it's easy to install
> after installing perl, just like everything else we've dropped from the core
> distribution.

I think the "it will be installed everywhere" is the one valid reason
why one may want to use CGI.pm.

> In the past two years, all my interactions with CGI.pm have been to fix bugs or
> send pull requests to quiet it from making noise in the core. I expect others
> here have had the same experience.
>
> Are there any arguments out there to compel me to feel otherwise about this?

Another datapoint: CGI.pm is very much facing the hostile internet.
That means that any security issue in CGI is currently our problem
too.

Leon
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
* James E Keenan <jkeen@verizon.net> [2013-05-23T21:19:53]
> On 5/23/13 7:50 PM, Ricardo Signes wrote:
> >
> >I think it's time to seriously consider removing CGI.pm from the core
> >distribution.
>
> +1 ... but at the same time, I special shout-out to Lincoln Stein
> for this historically important technology!

Indeed! My world would be a different place without CGI.pm, for sure.

--
rjbs
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Thu, 23 May 2013 19:50:55 -0400, Ricardo Signes
<perl.p5p@rjbs.manxome.org> wrote:

> I think it's time to seriously consider removing CGI.pm from the core
> distribution. It is no longer what I'd point *anyone* at for writing *any*
> sort of web code. It is in the core, as far as I know, because once it was the
> state of the art, and a major reason for many people to use the language. I
> don't think either is true now. Finally, if you need CGI, it's easy to install
> after installing perl, just like everything else we've dropped from the core
> distribution.
>
> In the past two years, all my interactions with CGI.pm have been to fix bugs or
> send pull requests to quiet it from making noise in the core. I expect others
> here have had the same experience.
>
> Are there any arguments out there to compel me to feel otherwise about this?

I suggested removal of CGI back in 2001 (I checked). I see no reason
whatsoever to keep it in CORE (other than people expecting it to be
in CORE)

++ for removal

--
H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/
using perl5.00307 .. 5.17 porting perl5 on HP-UX, AIX, and openSUSE
http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/
http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On 24 May 2013 08:46, H.Merijn Brand <h.m.brand@xs4all.nl> wrote:
> On Thu, 23 May 2013 19:50:55 -0400, Ricardo Signes
> <perl.p5p@rjbs.manxome.org> wrote:
>
>> I think it's time to seriously consider removing CGI.pm from the core
>> distribution. It is no longer what I'd point *anyone* at for writing *any*
>> sort of web code. It is in the core, as far as I know, because once it was the
>> state of the art, and a major reason for many people to use the language. I
>> don't think either is true now. Finally, if you need CGI, it's easy to install
>> after installing perl, just like everything else we've dropped from the core
>> distribution.
>>
>> In the past two years, all my interactions with CGI.pm have been to fix bugs or
>> send pull requests to quiet it from making noise in the core. I expect others
>> here have had the same experience.
>>
>> Are there any arguments out there to compel me to feel otherwise about this?
>
> I suggested removal of CGI back in 2001 (I checked). I see no reason
> whatsoever to keep it in CORE (other than people expecting it to be
> in CORE)
>
> ++ for removal

Ditto.

Yves


--
perl -Mre=debug -e "/just|another|perl|hacker/"
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
Leon Timmermans wrote:
> On Fri, May 24, 2013 at 1:50 AM, Ricardo Signes
> <perl.p5p@rjbs.manxome.org> wrote:
>> I think it's time to seriously consider removing CGI.pm from the core
>> distribution. It is no longer what I'd point *anyone* at for writing *any*
>> sort of web code. It is in the core, as far as I know, because once it was the
>> state of the art, and a major reason for many people to use the language.
>
> AFAIK, it's in core because perl 4 shipped with all then-known
> libraries and CPAN wasn't founded until a year after perl 5 came out
> :-|
>

This is probably the reason it is still in.

+1 for removal

I don't use Perl for webhosting, so none of the CGI stuff or numerous DB
modules I have ever used.
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
Hello

2013/5/24 Ricardo Signes <perl.p5p@rjbs.manxome.org>:
>
> I think it's time to seriously consider removing CGI.pm from the core
> distribution. It is no longer what I'd point *anyone* at for writing *any*
> sort of web code. It is in the core, as far as I know, because once it was the
> state of the art, and a major reason for many people to use the language. I
> don't think either is true now.

Many people still use programs that use CGI.pm, for ex. from NMS
collection. And CGI.pm is easiest to start with.

> Finally, if you need CGI, it's easy to install
> after installing perl, just like everything else we've dropped from the core
> distribution.

It would not be easy to do on web hosting which does not has
possibility of installing modules from CPAN. Also currently CGI.pm
requires FCGI which requires compiler which frequently is not
installed.
>
> In the past two years, all my interactions with CGI.pm have been to fix bugs or
> send pull requests to quiet it from making noise in the core. I expect others
> here have had the same experience.

I use CGI::Applications (mostly for old programs), it uses CGI.pm.
Also if I need a very simple web program, I use CGI.pm directly.


--
Alexandr Ciornii, http://chorny.net
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On 24 May 2013 11:06, Alexandr Ciornii <alexchorny@gmail.com> wrote:
> Hello
>
> 2013/5/24 Ricardo Signes <perl.p5p@rjbs.manxome.org>:
>>
>> I think it's time to seriously consider removing CGI.pm from the core
>> distribution. It is no longer what I'd point *anyone* at for writing *any*
>> sort of web code. It is in the core, as far as I know, because once it was the
>> state of the art, and a major reason for many people to use the language. I
>> don't think either is true now.
>
> Many people still use programs that use CGI.pm, for ex. from NMS
> collection. And CGI.pm is easiest to start with.
>
>> Finally, if you need CGI, it's easy to install
>> after installing perl, just like everything else we've dropped from the core
>> distribution.
>
> It would not be easy to do on web hosting which does not has
> possibility of installing modules from CPAN. Also currently CGI.pm
> requires FCGI which requires compiler which frequently is not
> installed.

Maybe the consequence of this would be that hosting services start
adopting a more progressive approach to this subject.

Yves



--
perl -Mre=debug -e "/just|another|perl|hacker/"
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, May 24, 2013 at 12:06:49PM +0300, Alexandr Ciornii wrote:
> Hello
>
> 2013/5/24 Ricardo Signes <perl.p5p@rjbs.manxome.org>:
> >
> > I think it's time to seriously consider removing CGI.pm from the core
> > distribution. It is no longer what I'd point *anyone* at for writing *any*
> > sort of web code. It is in the core, as far as I know, because once it was the
> > state of the art, and a major reason for many people to use the language. I
> > don't think either is true now.
>
> Many people still use programs that use CGI.pm, for ex. from NMS
> collection. And CGI.pm is easiest to start with.

I'm aware of NMS, and that it was deliberately targeting CGI.pm to promote
modules, code re-use, and not screwing up security related issues things
like parameter parsing.

Presumably every web framework out there is having to deal with form
parameters and URI escaping/unescaping. And avoid making goofs. And deal
with changes like ';' instead of '&'.

Is there something small which just does this?
Should the core be providing such foundation functionality?
(Although then you get to HTML entities, which starts to get big?)

> > Finally, if you need CGI, it's easy to install
> > after installing perl, just like everything else we've dropped from the core
> > distribution.
>
> It would not be easy to do on web hosting which does not has
> possibility of installing modules from CPAN. Also currently CGI.pm
> requires FCGI which requires compiler which frequently is not
> installed.

Yes, this is strange. The core merrily ships CGI.pm without FCGI, yet the
CPAN version of CGI.pm insists that FCGI is a hard dependency. Clearly the
dependency can't be a hard dependency, else the version shipped by the core
wouldn't work.

And, as you say, the dependency makes it hard to install (or upgrade) CGI.pm
on a system without a compiler.

What stops CGI.pm making FCGI optional? Or splitting out the FCGI support
into a separate distribution?

> > In the past two years, all my interactions with CGI.pm have been to fix bugs or
> > send pull requests to quiet it from making noise in the core. I expect others
> > here have had the same experience.
>
> I use CGI::Applications (mostly for old programs), it uses CGI.pm.
> Also if I need a very simple web program, I use CGI.pm directly.

But you have to install CGI::Applications from CPAN. So it shouldn't be
any harder to install CGI.pm and CGI::Applications from CPAN.

Nicholas Clark
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, 24 May 2013 12:06:49 +0300, Alexandr Ciornii
<alexchorny@gmail.com> wrote:

> Hello
>
> 2013/5/24 Ricardo Signes <perl.p5p@rjbs.manxome.org>:
> >
> > I think it's time to seriously consider removing CGI.pm from the core
> > distribution. It is no longer what I'd point *anyone* at for writing *any*
> > sort of web code. It is in the core, as far as I know, because once it was the
> > state of the art, and a major reason for many people to use the language. I
> > don't think either is true now.
>
> Many people still use programs that use CGI.pm, for ex. from NMS
> collection. And CGI.pm is easiest to start with.

For extremely simple and easy things I also still use CGI, but I still
vote for CORE-removal. CPAN is good-enough. Really.

The core decision is not to deprecate CGI as a module, it is trying to
remove the bundling with CORE.

> > Finally, if you need CGI, it's easy to install after installing perl,
> > just like everything else we've dropped from the core distribution.
>
> It would not be easy to do on web hosting which does not has
> possibility of installing modules from CPAN. Also currently CGI.pm
> requires FCGI which requires compiler which frequently is not
> installed.
>
> > In the past two years, all my interactions with CGI.pm have been to fix bugs or
> > send pull requests to quiet it from making noise in the core. I expect others
> > here have had the same experience.
>
> I use CGI::Applications (mostly for old programs), it uses CGI.pm.
> Also if I need a very simple web program, I use CGI.pm directly.

--
H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/
using perl5.00307 .. 5.17 porting perl5 on HP-UX, AIX, and openSUSE
http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/
http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, 24 May 2013 11:06:49 +0200, Alexandr Ciornii
<alexchorny@gmail.com> wrote:

> 2013/5/24 Ricardo Signes <perl.p5p@rjbs.manxome.org>:
>>
>> Finally, if you need CGI, it's easy to install after installing perl,
>> just like
>> everything else we've dropped from the core distribution.
>
> It would not be easy to do on web hosting which does not has
> possibility of installing modules from CPAN. Also currently CGI.pm
> requires FCGI which requires compiler which frequently is not
> installed.

I ask for this to be considered a blocker for uncoring CGI.pm. As much as
i dislike it, many people are in environments where no compiler is
available (welcome to corporate policy) and will have a very rude
awakening many years in the future when their Perl is upgraded.

--
With regards,
Christian Walde
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
demerphq <demerphq@gmail.com> writes:

>> It would not be easy to do on web hosting which does not has
>> possibility of installing modules from CPAN. Also currently CGI.pm
>> requires FCGI which requires compiler which frequently is not
>> installed.
>
> Maybe the consequence of this would be that hosting services start
> adopting a more progressive approach to this subject.

That would have been so several years ago. I don't think it works like
that nowadays.

Hosting provider: Here's your system. Good luck.
Client: Hey, I need perl!
Hosting provider: Perl's on the system.
Client: But I need to install modules to get my web application going.
Hosting provider: Can't do. Please use php / ruby / ... instead.

-- Johan
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
"H.Merijn Brand" <h.m.brand@xs4all.nl> writes:

> The core decision is not to deprecate CGI as a module, it is trying to
> remove the bundling with CORE.

Never underestimate the benefits of being a core module.

As a core module, CGI.pm is guaranteed to be there, and it will work.
If you want something quick and simple, CGI.pm is the obvious choice.

As a CPAN module, you'll have to install it yourself, if you can, and
there's no guarantee it will work.

And, if you want something quick and simple, use CPAN search and find
yourself drowned in houndreds of CGI handling modules. Good luck finding
one that suits your needs. And works.

The bottom line is: Do we want to ship perl such that it is easy to get
started with simple web applications? If so we either need to include
CGI.pm in the core, or put it on CPAN *and*make*sure*it*works.
No change in maintenance burden.

-- Johan
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, 24 May 2013 14:03:47 +0200, Johan Vromans
<jvromans@squirrel.nl> wrote:

> "H.Merijn Brand" <h.m.brand@xs4all.nl> writes:
>
> > The core decision is not to deprecate CGI as a module, it is trying to
> > remove the bundling with CORE.
>
> Never underestimate the benefits of being a core module.

I don't

> As a core module, CGI.pm is guaranteed to be there, and it will work.
> If you want something quick and simple, CGI.pm is the obvious choice.

I already hit this situation with Text::Soundex. Is still stand behind
my vote.

> As a CPAN module, you'll have to install it yourself, if you can, and
> there's no guarantee it will work.

Or install it as a prepackaged distribution asset. Most if not all
vendors have *a lot* of perl packages as prepacked rpm/deb/sd/whatever
available. It might even be an even higher guarantee to work in your
environment.

If you use perlbrew in order not to mess with system-perl this problem
doesn't exist at all.

If you depend on a hosting provider, having perl without *any*
web-support is useless, so the provider will have to do something
anyway.

> And, if you want something quick and simple, use CPAN search and find
> yourself drowned in houndreds of CGI handling modules. Good luck finding
> one that suits your needs. And works.
>
> The bottom line is: Do we want to ship perl such that it is easy to get
> started with simple web applications? If so we either need to include
> CGI.pm in the core, or put it on CPAN *and*make*sure*it*works.
> No change in maintenance burden.

--
H.Merijn Brand http://tux.nl Perl Monger http://amsterdam.pm.org/
using perl5.00307 .. 5.17 porting perl5 on HP-UX, AIX, and openSUSE
http://mirrors.develooper.com/hpux/ http://www.test-smoke.org/
http://qa.perl.org http://www.goldmark.org/jeff/stupid-disclaimers/
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
"H.Merijn Brand" <h.m.brand@xs4all.nl> writes:

> If you depend on a hosting provider, having perl without *any*
> web-support is useless, so the provider will have to do something
> anyway.

See my other mail.

-- Johan
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, May 24, 2013 at 02:03:47PM +0200, Johan Vromans wrote:

> Never underestimate the benefits of being a core module.

Yes. You now have the perceived advantages of being "blessed", "supported"
and "installed". However true those statements aren't.

> As a core module, CGI.pm is guaranteed to be there, and it will work.
> If you want something quick and simple, CGI.pm is the obvious choice.

This is not strictly true, as I believe that at least one point FreeBSD
removed it from their base distribution of perl. But I don't know if that
was a "glitch", later resolved by removing the need for perl to be in the
base distribution (and hence the reason why they really wanted their perl
to be smaller).

But it's as good as true, because I'm not aware of any other OS or vendor
doing something similar. And likely the places where this matters aren't
running FreeBSD.

> As a CPAN module, you'll have to install it yourself, if you can, and
> there's no guarantee it will work.

I'm having trouble parsing the last "it". In that, if you can install it
(the module), then I'm failing to envisage a situation where the code
wouldn't work, as the code is identical. Any more (or less) than your
hosting provider (or their OS "vendor") is capable of screwing up packaged
modules.

But I totally agree with the point - there is no guarantee that you would
be able to install a working version.

The reason I quibble the detail is that as I can't see what could go wrong
with the code itself (distinct from attempting the installation of the code)
and hence how to make the code itself more robust.

> And, if you want something quick and simple, use CPAN search and find
> yourself drowned in houndreds of CGI handling modules. Good luck finding
> one that suits your needs. And works.

That tyranny of choice also makes it very hard to find a single replacement.

> The bottom line is: Do we want to ship perl such that it is easy to get
> started with simple web applications? If so we either need to include
> CGI.pm in the core, or put it on CPAN *and*make*sure*it*works.
> No change in maintenance burden.

Yes. Which means that its current "need" for FCGI needs to be resolved
first.

Nicholas Clark
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
Nicholas Clark <nick@ccl4.org> writes:

>> As a CPAN module, you'll have to install it yourself, if you can, and
>> there's no guarantee it will work.
>
> I'm having trouble parsing the last "it". In that, if you can install it
> (the module), then I'm failing to envisage a situation where the code
> wouldn't work, as the code is identical.

It is -- now. But currently CGI.pm is part of perl, in synch, and
maintained together. If removed from the core, there's no guarantee that
CPAN versions of CGI.pm will work with this or newer perls.

-- Johan
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
* Christian Walde <walde.christian@gmail.com> [2013-05-24T05:56:48]
> On Fri, 24 May 2013 11:06:49 +0200, Alexandr Ciornii
> <alexchorny@gmail.com> wrote:
> >It would not be easy to do on web hosting which does not has
> >possibility of installing modules from CPAN. Also currently CGI.pm
> >requires FCGI which requires compiler which frequently is not
> >installed.
>
> I ask for this to be considered a blocker for uncoring CGI.pm. As
> much as i dislike it, many people are in environments where no
> compiler is available (welcome to corporate policy) and will have a
> very rude awakening many years in the future when their Perl is
> upgraded.

Thank you for bringing this to my attention. I have filed:

https://rt.cpan.org/Ticket/Display.html?id=85595

--
rjbs
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, May 24, 2013 at 2:25 AM, Nicholas Clark <nick@ccl4.org> wrote:

>> It would not be easy to do on web hosting which does not has
>> possibility of installing modules from CPAN. Also currently CGI.pm
>> requires FCGI which requires compiler which frequently is not
>> installed.
>
> Yes, this is strange. The core merrily ships CGI.pm without FCGI, yet the
> CPAN version of CGI.pm insists that FCGI is a hard dependency. Clearly the
> dependency can't be a hard dependency, else the version shipped by the core
> wouldn't work.
>
> And, as you say, the dependency makes it hard to install (or upgrade) CGI.pm
> on a system without a compiler.
>
> What stops CGI.pm making FCGI optional? Or splitting out the FCGI support
> into a separate distribution?

+1 to get FCGI dependency out of CGI.pm and make a separate
distribution. My experience tells Mark Stosberg, current maintainer of
CGI.pm, is likely in favor of splitting out these kinds of
dependencies out of distributions.


--
Tatsuhiko Miyagawa
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Fri, May 24, 2013 at 7:53 AM, Johan Vromans <jvromans@squirrel.nl> wrote:

> demerphq <demerphq@gmail.com> writes:
>
> >> It would not be easy to do on web hosting which does not has
> >> possibility of installing modules from CPAN. Also currently CGI.pm
> >> requires FCGI which requires compiler which frequently is not
> >> installed.
> >
> > Maybe the consequence of this would be that hosting services start
> > adopting a more progressive approach to this subject.
>
> That would have been so several years ago. I don't think it works like
> that nowadays.
>
> Hosting provider: Here's your system. Good luck.
> Client: Hey, I need perl!
> Hosting provider: Perl's on the system.
> Client: But I need to install modules to get my web application going.

Hosting provider: Can't do. Please use php / ruby / ... instead.
>

huh? It's not like you need special permissions to install modules!
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Sat, May 25, 2013 at 12:42 AM, Eric Brine <ikegami@adaelis.com> wrote:
> huh? It's not like you need special permissions to install modules!

I think the point was that the CPAN CGI distribution depends on FCGI,
which requires a complier, which not all hosting providers offer.
Hosting providers may not provide shell access, either, which makes
module installation harder.

But (a) we're going to get the FCGI dependency fixed, I think, and (b)
I don't think core Perl decisions should be based on meeting the needs
of people on lobotomized hosting plans.

David



--
David Golden <xdg@xdg.me>
Take back your inbox! → http://www.bunchmail.com/
Twitter/IRC: @xdg
Re: RFC: Removing CGI.pm from the core distribution [ In reply to ]
On Sat, May 25, 2013 at 6:42 AM, Eric Brine <ikegami@adaelis.com> wrote:
> huh? It's not like you need special permissions to install modules!

Now if only someone would make a web based CPAN client (that would
also install local::lib if required). Actually bootstrapping that
would be the only reason I'd ever use CGI.pm…

Leon

1 2  View All