Re: Bug#954089: libplack-perl: Please verify server identity via SSL
Hi Gregor,
On Mon, Mar 16, 2020 at 9:35 AM gregor herrmann <gregoa@debian.org> wrote:
>
> (Taking a random instance of the identical mass bug filing.)
Many are very similar, but not all are identical.
> - Is is realistic to patch dozens of upstream files?
> - Should the default be changed in HTTP::Tiny? (In src:perl and in
> libhttp-tiny-perl) In Debian (or better upstream though the latter
> might be difficult given the texts you quote.)
I pursued that route originally (although not exhaustively).
HTTP::Tiny is apparently used in a lot of tests, which would have to
be modified. Also, the module ships as part of Perl core.
In October of last year, I raised the issue with Debian's security
team and received the following reply from Moritz Mühlenhoff, whom I
copied (to avoid talking about people not present). Paul Wise was also
party to the original exchange; he was likewise copied:
> It's not an acceptable default if one would create it from scratch today,
> but I can see their point wrt avoiding to change the default in retrospect
> on a widely installed base. Python made a similar change in 3.x which was
> backported to 2.7 with notable fallout.
> But that doesn't mean that we shouldn't review/change the setting
> as used by reverse dependencies in the archive, I suggest to file
> bugs with severity important for any reverse dependency of the module
> which doesn't have it enabled.
> The maintainers can then assess impact for their respective packages
> and adjust it for bullseye as they see fit (and add a NEWS for high
> profile cases.
As you can see, I am implementing a recommendation I received some
time ago from Debian's security team.
Sorry about all the filings. Another five may follow.
Kind regards
Felix Lechner
Reply to: