[Wikimedia-l] Disinformation regarding perfect forward secrecy for HTTPS
Matthew Flaschen
mflaschen at wikimedia.org
Fri Aug 2 21:50:32 UTC 2013
On 08/02/2013 05:06 PM, James Salsman wrote:
> Marc, I note that you have recommending not keeping the Perl CPAN
> modules up to date on Wikimedia Labs:
> http://www.mediawiki.org/w/index.php?title=Wikimedia_Labs/Tool_Labs/Needed_Toolserver_features&diff=678902&oldid=678746
> saying that out of date packages are the "best tested" when in fact
> almost all CPAN packages have their own unit tests. That sort of
> reasoning is certain to allow known security vulnerabilities to
> persist when they could easily be avoided.
Besides being from a few months ago, and unrelated to this conversation,
I think that's a mis-characterization of what he said.
He said in general he would lean towards "keeping the distribution's
versions since those are the better tested ones", but noted it should be
looked at on a "package-by-package basis", and that "there may well be
good reasons to bump up to a more recent version" (a security
vulnerability that the distro isn't fixing rapidly enough would be such
a reason).
It seems from the context "better tested" meant something like "people
are using this in practice in real environments", not only automated
testing.
Matt Flaschen
More information about the Wikimedia-l
mailing list