Paul Wise wrote...
> On Mon, May 8, 2017 at 3:57 AM, Christoph Biedl wrote:
>
> > So this leaves us with fixing the module libyaml-libyaml-perl, also in
> > older releases, and reviewing all code in Debian that uses this
> > package. There are about 38 packages to sift through, and at a quick
> > glance duck (Debian URL checker) is one of those that are affected.
>
> Agreed. Please also take a look at codesearch, not just reverse deps.
Yes, did so.
> > * Make the re-instatiation configurable, default OFF
>
> I would say this is the most viable choice.
>
> > - As above, it's a fork
> > - This makes applications behave different when running on different
> > distributions.
>
> This change needs to get forwarded upstream and if they won't have it
> then forwarded to all the distributions.
The problem here is upstream seems to be pretty unresponsive.
For the time being, and since overall reaction has been pretty low: My
plan now is to review all yaml implementations for that feature, and
also all packages in Perl that depend on those. For both I could use
some help, I've created a document in gobby. If ...
> > - We'd have to identify all applications that actually need that
> > feature and patch them. As above, their number might be zero but
> > certainly is lower than with "default ON" above.
... that number is indeed zero, shortcut to disabling the re-
instatiation feature entirely. Else reconsider. This will also be a
topic for the Perl sprint in a week.
> Audit new/updated Perl code for known-unsafe behaviour, like using
> `use lib`, qx/``, system/popen without lists, open with pipes etc.
> Talk to Perl upstream about deprecating all these things.
*That* is another thing to improve Perl code quality, and certainly a
good idea.
Christoph
Attachment:
signature.asc
Description: Digital signature