develooper Front page | perl.perl5.porters | Postings from October 2016

Re: Perl 5.24.1-RC4 is now available!

Thread Previous | Thread Next
From:
Sawyer X
Date:
October 17, 2016 20:52
Subject:
Re: Perl 5.24.1-RC4 is now available!
Message ID:
69e1ac54-8500-d536-ad83-bcf9fbc05efd@gmail.com

On 10/17/2016 11:32 AM, Michael Schroeder wrote:
> On Sat, Oct 15, 2016 at 06:52:59PM +0200, Sawyer X wrote:
>> This took a long time, but we're finally here!
> Hmm, it still contains the base.pm INC mess. I thought there was some
> consensus to revert it back to the 5.24.0 state?

This is incorrect. There were discussions on the list in which multiple
suggestions were offered. This included providing the original patch,
providing an alternative patch, or reverting the entire patch. There was
no consensus.

The discussions continued on and off the security mailing list and a
decision was made to keep a patch, but a revised one, to minimize the
possible damage as much as possible, but retain the security benefits.

> See the "Alternative Fix for base.pm dot-in-INC mechanic." p5p
> thread. As stated there, the current code punishes those cases where
> the old code was perfectly safe, and leads to unpredictable
> behavior in the problematic cases (when %{"$base\::"} is not empty).

While it might "punish" some legitimate usages, it - at the same time -
defends users who are unaware of the security implications involved and
are possibly vulnerable to them. The decision was based on defending
rather than hoping users won't be attacked. That is the approach that
yielded the original set of patches and it is the approach that yielded
a patch (albeit revised) to this particular module as well.

> I don't see how you can ship that as a maintenance update.

I understand it is important to you, Michael, and I respect that. I hope
you understand it is important to us as well and that is why we decided
on this course of action. It is our position that security in this case
takes precedence.

If this was not part of a maintenance release (and dual-life modules),
then this would have only benefited whoever changed to 5.26, which we
consider insufficient. We have also tried finding a way in which no
legitimate usages of base.pm will be affected, but we could not.

We apologize for any problems this causes you, but we consider this the
best we could do.

Sawyer.

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About