From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 5E4B11396D0 for ; Sat, 7 Oct 2017 16:44:53 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 43E7C2BC033; Sat, 7 Oct 2017 16:44:48 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E9F2E2BC00B for ; Sat, 7 Oct 2017 16:44:47 +0000 (UTC) Received: from katipo2.lan (unknown [203.86.205.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kentnl) by smtp.gentoo.org (Postfix) with ESMTPSA id 50D66341684 for ; Sat, 7 Oct 2017 16:44:45 +0000 (UTC) Date: Sun, 8 Oct 2017 05:44:20 +1300 From: Kent Fredric To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] RFC: News item: Perl 5.26 update Message-ID: <20171008054420.51473d8b@katipo2.lan> In-Reply-To: <20171007161514.GE24569@gengoff> References: <2838067.DFkGrR0re6@porto> <20171007161514.GE24569@gengoff> Organization: Gentoo X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; boundary="Sig_/X/XIIilsfP1mTrPPxcLND3w"; protocol="application/pgp-signature" X-Archives-Salt: 29d53bef-5165-4731-adca-3c201c044e38 X-Archives-Hash: 45ba83acf8c26fc35adac0d452e45b5c --Sig_/X/XIIilsfP1mTrPPxcLND3w Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, 7 Oct 2017 12:15:14 -0400 "Aaron W. Swenson" wrote: > This reads kind of awkwardly. Maybe something along this lines of: >=20 > This release brings several incompatible changes as a result of > deprecations coming to term [#] and mitigating a potential security > issue [#]. >=20 > I wouldn=E2=80=99t really consider the security risk eliminated, but > mitigated as the vector of attack remains if program or module adds the > current working directory to @INC on its own. The interpreter just isn=E2= =80=99t > adding it to @INC. Its probably more accurate to consider this a form of security theatre than a real security mitigation. Just phrasing that succinctly is not easy. Maybe instead of calling it "a security issue", its "a change in defaults due to potential security concerns" --Sig_/X/XIIilsfP1mTrPPxcLND3w Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEPZazbI/qrFT1o9rn6FQySxNmqCAFAlnZBHEACgkQ6FQySxNm qCBtVhAAhfyrA98ulpQ4hzuEyTxp5VmjaREm5sQ3MqvYi8iLLew5raFv61uRfEJs 9cm8L55+dYcrDACBedpOQn0i13qnaIUViMqOlNg96dfk/p+5C37UPmawSJRuHo9k flum4orl6/5tIReAkwEXH1RygWe9ceN82vKwbHGGSOATqX13KfkUTeyt3A2LxD6/ 7MU8cN0fcpdeMN0oyCJTz4sSq/4q9ym51acUcOUd5DePzimA5XOaSZwoEcNZKn4I bYHFDO25Dzl+cwQVoEI/ENOit7hWb2nrxLXkXQGL9udr9k2ycCwDJM1GfDDAgup3 f1Z+UX2UHHbDwIixUwOgDkOsDOFMn74lbJ0Wa1AKtxG8oodr03vVq8JpYAlyjmjj RTm6dBMvYgd7+R4/dnTfvjUiJ30Y0Ud93F0iKTeAh6hZSxpC91wHzNam6fxvEf1n QWZsKt5MRe5f4ACZ32i5fN0Bm+7XjSv+PJR4dIJEnvk1xeq1gzjeb+EIDxQWpOUe 5qk0RNMPLtMZZBtleUk9/THQculrE4LAomBNv8bg4T+03aaHcIFisi/Jx3JxHJBC Au8hHE5hluAAsXVz0AMVzFEwTigEz9OL4jYTMyumLwVCRRGNIbEtWQwcKzVX3b5a MY8enAsNPI5cU7sHxlddSP6daK88rrux3fZyuEw4uSD/FKwy4+I= =b3R7 -----END PGP SIGNATURE----- --Sig_/X/XIIilsfP1mTrPPxcLND3w--