develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Aristotle Pagaltzis
Date:
October 1, 2012 18:18
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20121002011756.GA31092@fernweh.plasmasturm.org
* demerphq <demerphq@gmail.com> [2012-10-02 01:15]:
> Which module is that? Please start substantiating your accusations or
> stop spreading FUD.
>
> Seriously Reini, a lot of people have spent a lot of time looking into
> and discussing the issues you raise and we have in the past asked
> questions to substantiate your claims and gotten very little back to
> work with.

From the perspective of someone who is not on the perlsec list, this
entire conversation is completely useless – all I can see is mutual
finger-pointing and “you don’t get it” vs “you don’t know what you’re
talking about” with no facts on which to evaluate these claims.

For the 3rd time now, if memory serves.

And as long as the issue in question remains in obscurity, no one will
be able to tell which side is right.

I see no other way to resolve this than full disclosure. If you know
Reini’s claims are in fact FUD, then making the facts public doesn’t
matter anyhow, because no security issue is in fact implied. If you
cannot decide whether the issue is in fact sensitive or not, then making
them public will result in one of two outcomes: if there is an issue,
someone outside of Reini who understands the security implications can
try to lay them out for perlsec; or else everyone outside out of Reini
can see for themselves that there is no issue, and we can all go about
our merry ways. (For obvious reasons I’ll leave out the possibility that
you know his claims are true…)

Otherwise this issue is only going to come back up again periodically,
leading to another worthless round of “FUD” and finger-pointing yet.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About