develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
David Golden
Date:
October 1, 2012 17:15
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
CAOeq1c_WJc1ahk8FOUm1vvBkF2iH6vOMD3RXqhfK4P5zn2oo0Q@mail.gmail.com
On Mon, Oct 1, 2012 at 8:01 PM, Reini Urban <rurban@x-ray.at> wrote:
> It just needed about 6 months to acknowledge most issues.
> Problem is that most authors do understand the issues, just p5p and
> the security list not. Which makes me wonder.

What it should make you wonder is how well you have explained things.

Consider these possibilities:

(a) you explained things brilliantly, and the sizable and
not-unskilled set of people on the security list* are too stupid to
understand or have ulterior motives to ignore your advice

(b) you explained things tolerably, and the sizable and not-unskilled
set of people on the security list* misunderstood what you said

Without any additional information, I think an unbiased person might
conclude that the likelihood of miscommunication is higher than the
likelihood of the incompetence or malfeasance of the entire security
list.

Further, one of those is consistent with the actual response, which
has been, to a large degree, "sorry, Reini, we still don't understand.
 Could you please give us a working example of an exploit that
demonstrates it?"

And therein lies the impasse.

I think we would all welcome less finger pointing and more
constructive dialog to get past what is, in all probability, just a
misunderstanding.

David

* The sec list members are mostly current/former pumpkings and select
others deemed to have relevant expertise

-- 
David Golden <xdg@xdg.me>
Take back your inbox! → http://www.bunchmail.com/
Twitter/IRC: @xdg

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About