----- Original Message ----- From: "Chris Shiflett" <suppressed>
To: "Randal L. Schwartz" <suppressed>Cc: "Geoffrey Young" <suppressed>; "Alex Solovey" <suppressed>; <suppressed>
Sent: Sunday, March 25, 2007 4:39 PM Subject: Re: MP1 Security issue
Randal L. Schwartz wrote:I get around. I read various mailing lists. I'm not a dumb guy about Perl stuff. And by the way, I've already been yelled at. :) But this thing about "suppressed" is something that I wouldn't have thought to look for.That's a weak defense. If you're a proponent of full disclosure, say so, but don't use ignorance as your defense in the same email where you claim to not be a "dumb guy." You were probably yelled at for these reasons: 1. You thought you had discovered a serious security vulnerability. 2. You first mentioned it on a public mailing list. Even if I knew nothing about responsibly reporting securityvulnerabilities, my email to this list would have been something like this:"I believe I've discovered a security vulnerability in mod_perl. To whom should I address my concerns?" In the future, I highly suggest trying security@, support@, and info@ before disclosing a vulnerability, or ask this list for guidance. (It might be worth making sure at least one of these works with the perl.apache.org domain, e.g., suppressed) Chris -- Chris Shiflett http://shiflett.org/
I saw my teenage daughter yesterday and finally succeeded in engaging her attention on the subject of Perl, which lasted as long as it took me to explain that I was subscribed to a mailing list concerning a very specialized technology that I was only on the fringes of, but that in the last few days there had been some rapid-fire back and fourth on some hot security issue that was being fixed right before my eyes and that it was the most excitement I had ever seen on a mailing list ever! Well, she was genuinely interested from start to finish. What are the odds of the modperl mailing list being the inspiration for a breakthrough father-daughter moment like that? Pretty astronomical. Thanks you guys. Randal in particular. As ever, the beating heart of Perl.
Best, Gerard Clerkin
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.