| 1 |
On Sat, 7 Oct 2017 12:15:14 -0400 |
| 2 |
"Aaron W. Swenson" <titanofold@g.o> wrote: |
| 3 |
|
| 4 |
> This reads kind of awkwardly. Maybe something along this lines of: |
| 5 |
> |
| 6 |
> This release brings several incompatible changes as a result of |
| 7 |
> deprecations coming to term [#] and mitigating a potential security |
| 8 |
> issue [#]. |
| 9 |
> |
| 10 |
> I wouldn’t really consider the security risk eliminated, but |
| 11 |
> mitigated as the vector of attack remains if program or module adds the |
| 12 |
> current working directory to @INC on its own. The interpreter just isn’t |
| 13 |
> adding it to @INC. |
| 14 |
|
| 15 |
Its probably more accurate to consider this a form of security theatre |
| 16 |
than a real security mitigation. |
| 17 |
|
| 18 |
Just phrasing that succinctly is not easy. |
| 19 |
|
| 20 |
Maybe instead of calling it "a security issue", its "a change in |
| 21 |
defaults due to potential security concerns" |
Archives