Subject: Re: Updating Perl in pkgsrc-2004Q4
To: John Klos <john@ziaspace.com>
From: Johnny C. Lam <jlam@NetBSD.org>
List: tech-pkg
Date: 01/07/2005 21:29:22
On Fri, Jan 07, 2005 at 10:56:59AM -0800, John Klos wrote:
> 
> Does anyone see any problems with the idea of manually updating and 
> building the latest Perl without the security issues and using that to do 
> bulk package builds with pkgsrc-2004Q4?
> 
> I can't see any value whatsoever in having all of the Perl dependent 
> packages built based on an insecure Perl, and I don't feel like waiting 
> around until someone pulls a fixed Perl into 2004Q4.
> 
> What are other people's thoughts about this?

lang/perl58 on the pkgsrc-2004Q4 branch was already updated a few days
to perl-5.8.5nb7, which should contains the fixes for the (rather
minor) security advisories.  If it is still flagged as vulnerable,
then that is a bug in the pkg-vulnerabilities file.

There is no problem in building packages against the "insecure" perl
since the bugs were due to "insecure use of /tmp" and was restricted
to two shell scripts (instmodsh and perl5db) that were installed with
the Perl package, and that are practically never used by users, and
absolutely never used by any packages.

	Cheers,

	-- Johnny Lam <jlam@NetBSD.org>