tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: p5-libwww

Thus wrote Thomas Klausner (

> On Wed, Jul 13, 2011 at 09:59:55PM +0200, S.P.Zeidler wrote:
> > 5.837 is the last '5' version, the '6' versions have a bunch of moduls
> > split out. I recently packaged these new modules, so that all dependencies
> > for p5-libwww-6.02 are already present.
> Are there conflicts between the separate packages and p5-libwww-5?

Good point, I added the respective lines to Makefiles.

> > Formally, p5-libwww-6.02 does not depend on p5-LWP-Protocol-https,
> > but p5-libwww-5.837 contained https capability. That's the reason it
> > reports as vulnerable in fact:
> > p5-libwww-5.837 wasn't too picky about the certs it got, ie it did
> > encryption but not really verification. p5-LWP-Protocol-https by default
> > checks the certificate, or fails if it can't when e.g. there is no CA cert
> > for the certificate in question. One can tell it to not verify by setting
> > the environment variable PERL_LWP_SSL_VERIFY_HOSTNAME to 0.
> > 
> > So, update p5-libwww? with or without p5-LWP-Protocol-https as package
> > dependency?
> I think we should not make it depend on p5-LWP-Protocol-https.
> If packages need the functionality, we can add the dependency there.

It's less a question whether an entire package needs it, as whether a user
of a package configured their web services in a way that https is
necessary. eg devel/rt3 does not need https, but does.
As such, you get a disruptive change, and adding an update message will
likely not catch problems like these since hardly anyone will be
installing p5-libwww on its own; it'll likely be a well-buried dependency.

-- (S.P.Zeidler)

Home | Main Index | Thread Index | Old Index