1 |
On Sat, 7 Oct 2017 12:15:14 -0400 |
2 |
"Aaron W. Swenson" <titanofold@g.o> wrote: |
3 |
|
4 |
> This reads kind of awkwardly. Maybe something along this lines of: |
5 |
> |
6 |
> This release brings several incompatible changes as a result of |
7 |
> deprecations coming to term [#] and mitigating a potential security |
8 |
> issue [#]. |
9 |
> |
10 |
> I wouldn’t really consider the security risk eliminated, but |
11 |
> mitigated as the vector of attack remains if program or module adds the |
12 |
> current working directory to @INC on its own. The interpreter just isn’t |
13 |
> adding it to @INC. |
14 |
|
15 |
Its probably more accurate to consider this a form of security theatre |
16 |
than a real security mitigation. |
17 |
|
18 |
Just phrasing that succinctly is not easy. |
19 |
|
20 |
Maybe instead of calling it "a security issue", its "a change in |
21 |
defaults due to potential security concerns" |