[Freedombox-discuss] secure UUIDs
Quoting Tim Retout (2013-07-22 10:06:56)
> On 21 Jul 2013 00:05, "Jonas Smedegaard" <[1]dr at jones.dk> wrote:
>> As mentioned in my previous reply I am working on getting the proper
>> CPAN Data::UUID in Debian, so would be great if you could similarly
>> take a look at that.
>
> I do not trust CPAN's Data::UUID for other reasons - I filed RT bug
> #69277 a while ago (symlink attack):
>
> [3]https://rt.cpan.org/Public/Bug/Display.html?id=69277
>
> This was while working on Debian bug #632608:
>
> [4]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632608
>
> In short, Data::UUID does not work well on multi-user systems. I seem
> to recall that every user after the first to use the module will end
> up ignoring whatever it was storing in /tmp. I can't see anything in
> the changelog that has addressed this.
Arrgh...!
You just educated me to inspect bugtrackers more closely: Perhaps if
you'd not closed the Debian bug but left open and tagged as wontfix,
then I'd noticed it when making a move now - but that doesn't excuse my
lack of looking at upstream bugtracker(s - there are more than one!).
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130722/f2796990/attachment.sig>
Reply to: