Randal L. Schwartz wrote: >>>>>>"Jonathan" == Jonathan Vanasco <[EMAIL PROTECTED]> writes: > > > Jonathan> Randal didn't raise an report an new security threat -- he re- > Jonathan> categorized an active bug discussion as a security threat. > > Just for the record, I'm now clear (thanks to new information) that I handled > this poorly, and will handle it differently the next time.
in all fairness, I do appreciate you paying attention and speaking up. if the security implications had not been brought up there's always the possibility that Evil Guy would have seen the exploit, that the developers wouldn't have patched things fast enough, and that much chaos would have been the result. I just wish we hadn't given the bad guys such a clear roadmap to the chaos :) > I apologize for > any stress or grief, or even break-in, that may have resulted from my actions. thankfully, I don't think the risk is as great as anybody thought at first. but just to put things in perspective, the top two mod_perl shops transact _billions_ of dollars through mod_perl servers, so a more serious security threat... well, I think that could have had an incredible impact on all of us who work in open source, not just our little corner of it. > > Jonathan> People have commented "This isn't the proper way to report a > Jonathan> security threat." Well, right now ModPerl doesn't have a published > Jonathan> protocol for dealing with security threats. > > I *do* strongly support this statement though. Even after having been LARTed, > googling for "security mod_perl" didn't reveal anything in the first ten hits > that would be remotely useful here. > > This *can* be fixed for the future. (Nudge to the developers.) I had actually started patching the documentation before jonathan said anything, so expect something soonish. still, short of an official channel to report security issues, it's always probably safe to say "hey, I think this poses a security issue. what's the best way to handle things?" no matter which mailing list you're on :) --Geoff
