Re: The YAML::XS situation
On Mon, May 8, 2017 at 3:57 AM, Christoph Biedl wrote:
> So this leaves us with fixing the module libyaml-libyaml-perl, also in
> older releases, and reviewing all code in Debian that uses this
> package. There are about 38 packages to sift through, and at a quick
> glance duck (Debian URL checker) is one of those that are affected.
Agreed. Please also take a look at codesearch, not just reverse deps.
> * Make the re-instatiation configurable, default OFF
I would say this is the most viable choice.
> - As above, it's a fork
> - This makes applications behave different when running on different
> distributions.
This change needs to get forwarded upstream and if they won't have it
then forwarded to all the distributions.
> - We'd have to identify all applications that actually need that
> feature and patch them. As above, their number might be zero but
> certainly is lower than with "default ON" above.
I expect this number will be zero, but the config option will make it
easy to fix any that are found.
> More ideas?
I suggest the Perl team:
Audit new/updated Perl code for known-unsafe behaviour, like using
`use lib`, qx/``, system/popen without lists, open with pipes etc.
Talk to Perl upstream about deprecating all these things.
Run perlcritic (and maybe other linters) over new/updated Perl code
introduced to Debian.
https://anonscm.debian.org/cgit/collab-maint/check-all-the-things.git/tree/data/perl
Please note that you *must* run perlcritic with --noprofile (or from a
trusted directory) otherwise you will be subject to arbitrary code
execution via potentially untrusted code from the current directory.
--
bye,
pabs
https://wiki.debian.org/PaulWise
Reply to: