Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • I find the last paragraph of his blog the most interesting:


    For the ordinary PHP user this means that I will no longer hide the slow response time to security holes in my advisories. It will also mean that some of my advisories will come without patches available, because the PHP Security Response Team refused to fix them for months. It will also mean that there will be a lot more advisories about security holes in PHP.


    Besides the other possible back-stories others have mentioned, it seems that they've fallen to the pretend-we're-business trap of trying to control information. When you do that, bad things happen.

    I would hope that problems with Perl would immediately be made public so we have a chance to deal with them. I think, however, that we probably have a more reponsive set of core developers who already do their business in public (i think, maybe I'm just not in the star chamber :)
    • I would hope that problems with Perl would immediately be made public so we have a chance to deal with them. I think, however, that we probably have a more reponsive set of core developers who already do their business in public (i think, maybe I'm just not in the star chamber :)

      Well, besides perlbug and P5P there is no infrastructure to report security bugs... (and the last core security bug that was found was a printf format string vulnerability back in December 2005, which was promptly fixed.) There might be for some CPAN modules, but I'm not aware of that...

      • That's a very good point. What additional infrastructure is needed?
        • None, probably. If you built it, it would gather dust.

          I think the p5p mailing list is the best venue for reporting security problems. One doesn't have to be subscribed to post to it...