|
|
Subscribe / Log in / New account

The unstoppable Perl release train?

The unstoppable Perl release train?

Posted Mar 1, 2012 23:43 UTC (Thu) by jhhaller (guest, #56103)
In reply to: The unstoppable Perl release train? by autarch
Parent article: The unstoppable Perl release train?

Not having any bone to pick on either side, it appears to this outsider that fixing security issues are not as big of a concern than maintaining a consistent release schedule. Holding back a release because of a vulnerability gives everyone the impression that security is important and a project priority. Releasing it says we will get to it when we get to it, or that Unicode isn't thought to be important. Even if a statement was made that we are working on the bug, the release will go out shortly. but that a patch will be released shortly would be a better than only saying the release schedule is sacrosanct.

This article helped shine a light on this issue, which outsiders not watching Perl mailing lists would never have seen otherwise. If this puts enough pressure to get the bug fixed in a timely fashion, then the article served it's purpose.

to post comments

The unstoppable Perl release train?

Posted Mar 2, 2012 1:08 UTC (Fri) by autarch (subscriber, #22025) [Link] (6 responses)

Holding back a release for a security issue would make sense if the security issue were not already present in the last stable release, I agree.

I'm not sure of the exact details of the security issue, but given that it was first reported 10 months ago (and was probably reported against the stable release at that time), we can assume that existing stable versions of Perl are affected.

Releasing another stable release of Perl which is affected by the same problem really doesn't make a difference, security-wise.

The unstoppable Perl release train?

Posted Mar 2, 2012 4:04 UTC (Fri) by cmccabe (guest, #60281) [Link] (1 responses)

Common sense would suggest fixing the gaping security hole before making another release. Luckily we live in an enlightened age when common sense has been replaced by "process" (formerly called "bureaucracy").

The unstoppable Perl release train?

Posted Mar 2, 2012 15:06 UTC (Fri) by autarch (subscriber, #22025) [Link]

Your assertion only makes sense if you think that making the next release and fixing the security hole are mutually exclusive. They're not.

The unstoppable Perl release train?

Posted Mar 2, 2012 14:40 UTC (Fri) by xdg (guest, #83285) [Link] (3 responses)

autarch is correct that the security issue is present in all stable releases of Perl since Unicode support was added. There are no reported exploits. Programs that follow the Perl 5 Security guidelines and the Security Implications of Unicode guidelines are unlikely to be affected.

When the issue is addressed, it will be backported to all supported Perl 5 stable release series, per the Perl 5 Support Policy. The release schedule of Perl is irrelevant. Holding up the Perl 5.16 release wouldn't get the issue fixed any faster and would merely hold up the release of other bugs fixed in the Perl 5.15 development cycle.

The unstoppable Perl release train?

Posted Mar 2, 2012 20:37 UTC (Fri) by dlang (guest, #313) [Link]

> autarch is correct that the security issue is present in all stable releases of Perl since Unicode support was added.

What is the bug? that's information that I haven't yet seen in this discussion.

The unstoppable Perl release train?

Posted Mar 4, 2012 5:27 UTC (Sun) by jmayer (guest, #595) [Link] (1 responses)

My reading of the article is different than what you "Perl guys" are reading into it: With the new release there will be "complete" Unicode support, it will be the "if you haven't used unicode before, do it now release". So if there are security problems in the unicode handling in Perl and more people start using the unicode features these problems will be in more and more programs. How many people who write Perl scripts have actually read the security guidelines - probably well below 50%. Many people I know learn mostly from examples, not from manpages.

The unstoppable Perl release train?

Posted Mar 4, 2012 19:39 UTC (Sun) by xdg (guest, #83285) [Link]

If you're reading this as "the Unicode release", then the author has (probably unintentionally) misled you. Unicode itself is a moving target and Perl has continued to make significant stride to improve how it handle Unicode semantics in the last couple releases. See Unicode Overhaul from the 5.12 release notes and Unicode in the 5.14 release notes. Perl 5.16 continues with this trend of incremental improvements.

As for how many people read the security-relevant sections of manpages, that's an issue for any language or tool. Most tools can be used insecurely, dynamic languages particularly so. I would hope that anyone writing or deploying code where security does matter would read relevant manpages.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds