[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Feaping Creature-ism in core Debian Packages

According to Alan Cox:
> I was told that old releases where not maintained - eg perl4.  How
> far back does the maintenance go?

Two stable versions: Perl 5.4 and 5.5 are maintained, while 5.6 is in
development and not yet released.  As a practical matter, the
installed base of 5.4 is so large that we'll probably issue periodic
patches for it for years to come.

The minimum recommended version of Perl is 5.4.5.  All versions prior
to 5.4 have security issues that no one has had the time+inclination
to fix properly.  (It might be possible to retrofit some of the buffer
overflow patches into 5.3, but 5.3 also has memory leaks and other
problems.  And let's not even talk about pre-5.3.)

And, yes, some vendors still ship Perl 4.  They shouldn't.  I'd like
to beat them severely about the head and shoulders with a printout of
the relevant CERT security advisories.  For Pete's sake, Perl 5 has
been around longer than all the previous versions of Perl combined.

> So a standard that explicitly required say Perl 5.5 would be long
> term acceptable and maintainable?

Yes, I think it would be reasonable to keep a _minimal_ Perl 5.5 (the
equivalent of perl-5.005-base) on every Debian system for the next
three to five years.

HOWEVER, I don't want to freeze /usr/bin/perl.  Any scripts that want
to depend on a specific version should use a new "alternatives" entry
("#!/usr/bin/stable-perl") or explicit version ("#!/usr/bin/perl5.005").
Chip Salzenberg      - a.k.a. -      <chip@perlsupport.com>
      "When do you work?"   "Whenever I'm not busy."

Reply to: