Front page | perl.perl5.porters |
Postings from October 2016
Hi Michael,
On 10/19/2016 11:30 AM, Michael Schroeder wrote:
> On Mon, Oct 17, 2016 at 10:52:21PM +0200, Sawyer X wrote:
>>> I don't see how you can ship that as a maintenance update.
>> I understand it is important to you, Michael, and I respect that. I hope
>> you understand it is important to us as well and that is why we decided
>> on this course of action. It is our position that security in this case
>> takes precedence.
> Ok, let me state again my two points. This is all "IMHO", so feel free
> to ignore me.
>
>
> 1) For a maintainence update not breaking things should be the top
> priority. Some times (like with security changes) breaking some
> code can't be helped. But with the current code there's a case where
> you break code without need: this is when %{"$base\::"} is empty.
>
> In that case you know that this is not an optional load. So it would
> be in the spirit of the rest of the fixes to not remove '.' from @INC.
> Nevertheless you do it because of "consistency reasons". That's
> not "security takes precedence".
>
> Also note that the big reworded error message is only shown in this
> case, i.e. when there is actually no need to remove '.'.
I believe you're right about this. We're postponing the release while
Aristotle is trying to alter the patch to protect against this.
Thank you for clarifying this point and pushing on it.
Thread Previous
|
Thread Next