tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: p5-libwww



On Wed, Jul 13, 2011 at 09:59:55PM +0200, S.P.Zeidler wrote:
> 5.837 is the last '5' version, the '6' versions have a bunch of moduls
> split out. I recently packaged these new modules, so that all dependencies
> for p5-libwww-6.02 are already present.

Are there conflicts between the separate packages and p5-libwww-5?

> Formally, p5-libwww-6.02 does not depend on p5-LWP-Protocol-https,
> but p5-libwww-5.837 contained https capability. That's the reason it
> reports as vulnerable in fact:
> p5-libwww-5.837 wasn't too picky about the certs it got, ie it did
> encryption but not really verification. p5-LWP-Protocol-https by default
> checks the certificate, or fails if it can't when e.g. there is no CA cert
> for the certificate in question. One can tell it to not verify by setting
> the environment variable PERL_LWP_SSL_VERIFY_HOSTNAME to 0.
> 
> So, update p5-libwww? with or without p5-LWP-Protocol-https as package
> dependency?

I think we should not make it depend on p5-LWP-Protocol-https.
If packages need the functionality, we can add the dependency there.
 Thomas


Home | Main Index | Thread Index | Old Index