Paul Wise wrote... > On Mon, May 8, 2017 at 3:57 AM, Christoph Biedl wrote: > > > So this leaves us with fixing the module libyaml-libyaml-perl, also in > > older releases, and reviewing all code in Debian that uses this > > package. There are about 38 packages to sift through, and at a quick > > glance duck (Debian URL checker) is one of those that are affected. > > Agreed. Please also take a look at codesearch, not just reverse deps. Yes, did so. > > * Make the re-instatiation configurable, default OFF > > I would say this is the most viable choice. > > > - As above, it's a fork > > - This makes applications behave different when running on different > > distributions. > > This change needs to get forwarded upstream and if they won't have it > then forwarded to all the distributions. The problem here is upstream seems to be pretty unresponsive. For the time being, and since overall reaction has been pretty low: My plan now is to review all yaml implementations for that feature, and also all packages in Perl that depend on those. For both I could use some help, I've created a document in gobby. If ... > > - We'd have to identify all applications that actually need that > > feature and patch them. As above, their number might be zero but > > certainly is lower than with "default ON" above. ... that number is indeed zero, shortcut to disabling the re- instatiation feature entirely. Else reconsider. This will also be a topic for the Perl sprint in a week. > Audit new/updated Perl code for known-unsafe behaviour, like using > `use lib`, qx/``, system/popen without lists, open with pipes etc. > Talk to Perl upstream about deprecating all these things. *That* is another thing to improve Perl code quality, and certainly a good idea. Christoph
Attachment:
signature.asc
Description: Digital signature