perl-5.10.0

Bryan Kadzban bryan at kadzban.is-a-geek.net
Tue Oct 28 21:20:19 PDT 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Bruce Dubbs wrote:
> It looks like 2071 says that we need to add -Dvendorprefix=/usr to
> the configuration process, but configure.gnu doesn't support it.
> 
> <...>
> 
> Are there any comments about this?  Should I just drop in these
> instructions?

My only comment is that I've just tested perl-5.10.0's configure.gnu
script, and it appears to pass those options through to Configure.
Maybe this changed since that comment was added to the bug, but I see
this (as a test):

$ ./configure.gnu  --prefix=/usr -Dman1dir=/usr/share/man/man1
- -Dman3dir=/usr/share/man/man3 -Dpager="/usr/bin/less -isR"
- -Dvendorprefix=/usr
sh Configure -ds -e -Dprefix=/usr -Dman1dir=/usr/share/man/man1
- -Dman3dir=/usr/share/man/man3 -Dpager=/usr/bin/less -isR
-Dvendorprefix=/usr
<...>
Installation prefix to use for vendor-supplied add-ons? (~name ok) [/usr]
Pathname for the vendor-supplied library files? (~name ok)
[/usr/lib/perl5/vendor_perl/5.10.0]
<...>

I'm sure the other options (that Dan uses) could be added as well.  It
looks like configure.gnu simply passes along everything it doesn't have
specific handling code for.

So my vote would be to pass -Dvendorprefix to configure.gnu (to fix the
bug), and perhaps more of Dan's args, unless that fails for anyone.  :-)

> The second ticket, 2227, concerns a group of patches, including one
> reasonably severe security patch.  This seems to be fixed in the
> existing patch.  The question is whether we really need to add any
> additional perl patches.

I'm not terribly inclined to add them (unless they fix holes), so I
suppose I have a slight preference to leaving at least some of them out.
Yes, it may be nice to have the test for the security fix, but it's not
terribly important if the hole is actually closed.  On the other hunks
of Robert's patch, I don't know (except for the one that duplicates the
fix to the rmtree bug: that one isn't needed).

Of the Debian bug list:

- - Our perl-5.10.0-security_fix-1.patch fixes the rmtree bug.

- - Useless warnings: who cares.

- - Segfault: Bad, and the fix isn't terribly hard (see the Debian bug[0]
for a patch[1]).

- - Memory corruption: Also bad; the fix is a one-liner (see [2]).

[0] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=498769
[1]
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=498769.patch;att=1;bug=498769
[2] http://rt.perl.org/rt3/Public/Bug/Display.html?id=54934

> There seem to be a lot of patches, but they are not consolidated.  I
> can't tell which are meaningful and which are not.  I'm tempted to
> mark this wontfix.

The two patches (from the three links above) seem best to me.  That
should at least fix the (theoretically-maybe-exploitable) bugs; I'm much
less concerned about the useless warnings.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEAREDAAYFAkkH5IIACgkQS5vET1Wea5zFGgCfWOrZ6kDOqig/o3vQBI3rzol3
5r8AoLQV7XqsxVZUOhQRdHSHRGeayD2q
=yTc2
-----END PGP SIGNATURE-----



More information about the lfs-dev mailing list