Beefy Boxes and Bandwidth Generously Provided by pair Networks
Welcome to the Monastery
 
PerlMonks  

Re^10: 5.18.0 is available NOW!

by BrowserUk (Pope)
on May 22, 2013 at 10:36 UTC ( #1034716=note: print w/replies, xml ) Need Help??


in reply to Re^9: 5.18.0 is available NOW!
in thread 5.18.0 is available NOW!

This process is called "responsible disclosure".

That can lead to "a feeling of false security."

The patches mitigating CVE-2013-1667 are all public.

The patches are public; but whether they actually address the perceived problem -- nor even if the perceived problem is actually a problem -- cannot be determined without knowing what the problem is.

The only code which is not public is the code which demonstrates a key-discovery attack on perls old hash function,

Easily reproduced with a 20 line script. It is running now:

You do not know what you are talking about

Actually, I do. As you will find out.


With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.

Replies are listed 'Best First'.
Re^11: 5.18.0 is available NOW!
by demerphq (Chancellor) on May 22, 2013 at 10:57 UTC

    The patches are public; but whether they actually address the perceived problem -- nor even if the perceived problem is actually a problem -- cannot be determined without knowing what the problem is.

    Actually, I do. As you will find out.

    I look forward to reading your patch. But I find it hard to reconcile your two statements. On one hand you admit you don't know what the problem is, yet on the other you assert you know what you are talking about. Both can't be right. IMO if you understand the patches you should be able to figure out the attack and recreate it.

    ---
    $world=~s/war/peace/g

      I look forward to reading your patch.

      I didn't offer one.

      On one hand you admit you don't know what the problem is, yet on the other you assert you know what you are talking about. Both can't be right.

      Of course they can. (Look back for the phrase "unfortunately necessary supposition".)

      if you understand the patches

      Bingo!

      But that only tells us the problem that you feel needs addressing and how you've chosen to tackle it.

      It doesn't tell us how you think that scenario might come about; nor what other solutions have been considered.

      But enough! We've descended below what is apparently the justifiable cut-off for the depth of a discussion (>10), and all we are doing is talking at each other, so let's stop here and see what time will tell us.


      With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
      Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
      "Science is about questioning the status quo. Questioning authority".
      In the absence of evidence, opinion is indistinguishable from prejudice.

        No patch no point. Until you can produce a better patch stop spreading FUD.

        ---
        $world=~s/war/peace/g

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1034716]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (4)
As of 2020-10-26 21:32 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My favourite web site is:












    Results (254 votes). Check out past polls.

    Notices?