Re: Potentially insecure Perl scripts

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: Holger Levsen <holger@layer-acht.org>, security@debian.org, debian-devel@lists.debian.org, perl@packages.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Dominic Hargreaves <dom@earth.li>
Date: Mon, 28 Jan 2019 17:10:04 +0000
Message-id: <[🔎] 20190128171004.oqjj2nfctfjrbbvc@urchin.earth.li>
In-reply-to: <[🔎] 23627.26240.941815.2438@chiark.greenend.org.uk>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 20190124135558.GA6524@thunder.hadrons.org> <[🔎] 23625.54560.431642.679629@chiark.greenend.org.uk> <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk> <[🔎] 20190124200012.dmy2qejytrzw2op6@layer-acht.org> <[🔎] 23627.26240.941815.2438@chiark.greenend.org.uk>

On Fri, Jan 25, 2019 at 07:41:52PM +0000, Ian Jackson wrote:
> Holger Levsen writes ("Re: Potentially insecure Perl scripts"):
> > On Thu, Jan 24, 2019 at 03:18:40PM +0000, Ian Jackson wrote:
> > > To the Debian Perl maintainers: [...]
> > > To the Debian security team: [...]
> > 
> > I've read the whole thread and am surprised "talking to upstream" (and
> > fixing the issue there as well) hasn't really been on the table. :/ Did I
> > miss that?
> 
> This bug was reported upstream here 18 years ago
>   https://rt.perl.org/Public/Bug/Display.html?id=2783
> and they took of those years to sort-of half-document it.
> 
> I guess you mean that we should try again ?  That's probably
> worthwhile.
> 
> Maybe it would be best if this were fronted by someone who can bring
> themselves to be more diplomatic about this situation than I can find
> it in myself to be right now.

Myself or Niko can deal with taking this conversation upstream, but
please allow some time for this.

> In the meantime we do need to bear in mind that we do have
> approximately these two options:
> 
>  1. Change the behaviour of perl so that it matches the majority of
>     the documentation, so that -n and -p and <> fulfil their purpose
>     and can be used, and so that they satisfy the expections (or at
>     least wishes) of the vast majority of Perl programmers.
> 
>     Risk a probably tiny amount of fallout.
> 
>     If we do this in Debian without cooperation from upstream, set an
>     example which might lead other distros to fix it too; albeit
>     through diverging from upstream behaviour.
> 
>  2. Internally in Debian file a massive MBF to review thousands
>     and thousands of uses for safety.
> 
>     Leave the world's existing scripts to be insecure and tolerate
>     that people will continue to write insecure scripts.
> 
>     Write clumsy circumlocutions everywhere instead of <> and -p and
>     -n.  (Note that <<>> is not right because it does not honour `-'.)
> 
>     Add notes to the documentation saying never to use <> or
>     -p or -n (WTF).
> 
> (2) certainly cannot be done quickly.  If (1) cannot be done quickly
> it should IMO be done slowly.

Again - please do not force us to rush this. It is not a new situation
so rushing and panicing is not warranted.

Fixing this situation in collaboration with upstream is the only sane
approach, however the final details are worked out.

Dominic.

Reply to:

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Guillem Jover <guillem@debian.org>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#920684: ITP: JDim - JD fork, simple browser for "2ch-style" web forum sites
Next by Date: Bug#920771: ITP: jodd -- Java utility library and set of frameworks
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread