Am 2017-05-12 um 21:19 schrieb Christoph Biedl: > Paul Wise wrote... > >> On Mon, May 8, 2017 at 3:57 AM, Christoph Biedl wrote: >> >>> So this leaves us with fixing the module libyaml-libyaml-perl, also in >>> older releases, and reviewing all code in Debian that uses this >>> package. There are about 38 packages to sift through, and at a quick >>> glance duck (Debian URL checker) is one of those that are affected. >> well, i will take a look and try to find out what i can do to avoid problems caused by using libyaml-libyaml-perl. I chose libyaml-libyaml-perl because it was just the first lib that i stumbled upon, so no specific need for that particular lib. Altough i do not use/do not rely on object-reinstantiation, AFAIK. Thanks for the hint! Simon >> Agreed. Please also take a look at codesearch, not just reverse deps. > > Yes, did so. > >>> * Make the re-instatiation configurable, default OFF >> >> I would say this is the most viable choice. >> >>> - As above, it's a fork >>> - This makes applications behave different when running on different >>> distributions. >> >> This change needs to get forwarded upstream and if they won't have it >> then forwarded to all the distributions. > > The problem here is upstream seems to be pretty unresponsive. > > For the time being, and since overall reaction has been pretty low: My > plan now is to review all yaml implementations for that feature, and > also all packages in Perl that depend on those. For both I could use > some help, I've created a document in gobby. If ... > >>> - We'd have to identify all applications that actually need that >>> feature and patch them. As above, their number might be zero but >>> certainly is lower than with "default ON" above. > > ... that number is indeed zero, shortcut to disabling the re- > instatiation feature entirely. Else reconsider. This will also be a > topic for the Perl sprint in a week. > >> Audit new/updated Perl code for known-unsafe behaviour, like using >> `use lib`, qx/``, system/popen without lists, open with pipes etc. >> Talk to Perl upstream about deprecating all these things. > > *That* is another thing to improve Perl code quality, and certainly a > good idea. > > Christoph >
Attachment:
signature.asc
Description: OpenPGP digital signature