[Freedombox-discuss] secure UUIDs

Jonas Smedegaard dr at jones.dk
Mon Jul 22 09:49:15 UTC 2013

Quoting Tim Retout (2013-07-22 10:06:56)
> On 21 Jul 2013 00:05, "Jonas Smedegaard" <[1]dr at jones.dk> wrote:
>> As mentioned in my previous reply I am working on getting the proper 
>> CPAN Data::UUID in Debian, so would be great if you could similarly 
>> take a look at that.
> I do not trust CPAN's Data::UUID for other reasons - I filed RT bug 
> #69277 a while ago (symlink attack):
> [3]https://rt.cpan.org/Public/Bug/Display.html?id=69277
> This was while working on Debian bug #632608:
> [4]http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632608
> In short, Data::UUID does not work well on multi-user systems. I seem 
> to recall that every user after the first to use the module will end 
> up ignoring whatever it was storing in /tmp. I can't see anything in 
> the changelog that has addressed this.


You just educated me to inspect bugtrackers more closely: Perhaps if 
you'd not closed the Debian bug but left open and tagged as wontfix, 
then I'd noticed it when making a move now - but that doesn't excuse my 
lack of looking at upstream bugtracker(s - there are more than one!).

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130722/f2796990/attachment.sig>

More information about the Freedombox-discuss mailing list