develooper Front page | perl.perl5.porters | Postings from October 2012

Re: Security Issues in perl-5.16.x

Thread Previous | Thread Next
From:
Aristotle Pagaltzis
Date:
October 1, 2012 20:49
Subject:
Re: Security Issues in perl-5.16.x
Message ID:
20121002034907.GC31092@fernweh.plasmasturm.org
* demerphq <demerphq@gmail.com> [2012-10-02 04:05]:
> Perl never promised to save anyone from shooting their foot off, quite
> the opposite. That is very different from someone diligent being
> vulnerable because they use Perl due to a bug in Perl.
>
> So far you haven't shown the latter and this conversation sounds like
> FUD motivated by the p5p community not doing what you want us to do.

So far I don’t see any security implications either. This seems like
a case of Reini doing himself a disservice. Needlessly alarming rhetoric
or not, see, I agree with him that syscalls shouldn’t be passed NULs.
Sure, Perl enough rope to shoot yourself yada yada; but that applies to
where Perl doesn’t keep you from doing stupid things because doing so
would also keep you from doing clever things. In this case, which *are*
the clever things you could be doing? Can you illustrate how this aspect
of perl’s behaviour can be used fruitfully? Or is it just a (mostly
harmless?) oddity that won’t get fixed simply because, well, it’s stupid
and you’re allowed to do stupid things?

[Note I’m not (at this time) arguing about what action should be taken.
 What I’m asking is only whether we agree on the principle.]

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About