develooper Front page | perl.perl5.porters | Postings from July 2003

RC2 is out

Thread Next
From:
Jarkko Hietaniemi
Date:
July 11, 2003 05:46
Subject:
RC2 is out
Message ID:
20030711124648.GF225704@kosh.hut.fi
	Many an ancient lord's last words had been, "You can't kill
	me because I've got magic aaargh."
	-- Terry Pratchett, "Interesting Times"

*SIGH*

	http://www.iki.fi/jhi/perl-5.8.1-RC2.tar.b22

(just the bz2)

(or rsync -avz ftp.linux.activestate.com::perl-5.8.x perl-5.8.x)

and in a while the public

	http://www.cpan.org/authors/id/J/JH/JHI/jhi/perl-5.8.1-RC2.tar.gz

- RC1 was broken on AIX.  That had to be fixed.  (I suspect it
  was similarly broken on Win32, OS/2, and Mac OS Classic, too:
  all platforms that require explicit symbol export when linking.)

- If we are to deprecate the v-strings there must be warning.
  Now there is.  I think I missed some deprecation warnings
  so there will be some test noise, but I'm now too tired to care.

- After much groaning, my hair turning grey(er), and gnashing of
  teeth, I chickened out of the hash randomisation.  It's no more
  on by default, but still enableable by setting the $ENV{PERL_HASH_SEED},
  and one can compile with -DUSE_HASH_SEED to enable it by default.
  But read on....

  There are no good choices.

	- Making the randomisation default will break code.
	  Admittedly code that was broken to begin with, mostly.
	  But it is still breakage, and this is supposed to be
	  a maintenance release.

	- The randomisation was supposed help especially places
	  where hash keys originate from the (assumedly Evil) Outside:
	  places like servers with CGI scripts, mod_perl, web services.

	- I hope Stas can figure out how to make the (now optional)
 	  randomisation and mod_perl to work together.

	- But how do we (can we?) help places which only have basic
	  vanilla CGI scripts, beginning with #!/usr/bin/perl -Tw?
	  They won't receive the $ENV{PERL_HASH_SEED} unless the
	  sites recompile their CGI-serving Perl with -DUSE_HASH_SEED,
	  and how likely is that to happen, really?  Not very.
	  Given the likely very low deployment level of the randomisation
	  when it's not the default, I'm tempted to say it's quite
	  useless feature.

	- Wrappers to CGI scripts that set the $ENV{PERL_HASH_SEED}?
	  Some special Perl command line option that enables the hash
	  randomisation? (it can't be a module or a pragma: by the time
	  we can run modules it's already far too late to change the
	  hash seed)
	  
	- I hope people with more web server experience than me
	  can come up with some good recommendations.  This is
	  a new threat, and people will want ways to defend
	  against it.

Now I really need to go home and start packing.  See some of you in
Paris (and London before that).

-- 
Jarkko Hietaniemi <jhi@iki.fi> http://www.iki.fi/jhi/ "There is this special
biologist word we use for 'stable'.  It is 'dead'." -- Jack Cohen

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About