develooper Front page | perl.perl5.porters | Postings from February 2020

Re: Backporting ac3afc4b35 (regcomp.c: make \K+ and \K* illegal.)

Thread Previous | Thread Next
Curtis Jewell
February 7, 2020 22:29
Re: Backporting ac3afc4b35 (regcomp.c: make \K+ and \K* illegal.)
Message ID:
(I don't speak up often, so forgive me.)

This feels like a letter vs. spirit of the law question, and the reason I say that is that the behavior being forbidden was already being warned about - we're upgrading a warning to an error in some cases of the warning. Said reworking would be to literally not do the cherry-pick, because of that - at least as I see it. But yes, that's impolite to us users without a good reason in a maint release - but not strongly so.

I would ask if this commit was attached to a CVE, or something else security related, which would be a good enough reason... and I could easily see the answer being yes, but let's document said yes answer, if that is the case. If not, I would not vote for it, due to the policy, if I was one of the people voting - but I'm not a committer, so call my vote a -0.

--Curtis Jewell

On Fri, Feb 7, 2020, at 11:08, Steve Hay via perl5-porters wrote:
> The following commit has been proposed for 5.30.2:
> regcomp.c: make \K+ and \K* illegal. 
> However, it adds a new fatal error, which we undertake not to do in 
> maint releases (see perlpolicy.pod).
> Unless there is some overriding (security-based) need to have it then I 
> think we should not, at least in its current form.
> If it really is an essential fix to include then is there some way to 
> rework it that retains the fix itself but without introducing the new 
> error?

Curtis Jewell 
"Your random numbers are not that random" -- perl-5.10.1.tar.gz/util.c

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About