On 25/07/16 17:20, Dominic Hargreaves wrote: > Hello, > > As you will see from the below DSA, a class of vulnerabilities in > perl programs has been announced today. We have fixed the worst parts of > this in Debian, but ultimately we'd like to (in keeping with upstream's > intentions for 5.26) remove the current directory from the module search > path altogether. > > At the moment, this would cause around 40 packages to FTBFS (that was > the number of jessie - it will be a bit different for sid).
The advisory only mentions about a dozen packages. Is that estimate of ~40 accurate? > In the near term, changing the default is a matter of uncommenting a line > in a conffile (and can therefore be easily reverted by the user if needed). > > I'd like to upload such a change to sid ASAP (probably just after the > initial sid upload, due any minute now, migrates to testing). If the > impact of that measured against sid/stretch is manageable, we'd also like > to consider making the change by default in a future point release, > although the number of packages that need updates may still be too large; > we'd obviously discuss that with you in the normal way via a transition > bug. > > Are you happy for us to introduce such a change in sid later this week, > and start filing RC bugs about problems in other packages caused by > the change? Are these problems to difficult to change? This should be fine, but if you can give an approximate list of affected packages that would be appreciated. Thanks, Emilio
