[Freedombox-discuss] secure UUIDs

Jonas Smedegaard dr at jones.dk
Mon Jul 22 11:18:49 UTC 2013

Quoting Tim Retout (2013-07-22 12:30:57)
> On 22 Jul 2013 10:48, "Jonas Smedegaard" <[1]dr at jones.dk> wrote:
>> Arrgh...!
>> You just educated me to inspect bugtrackers more closely: Perhaps if 
>> you'd not closed the Debian bug but left open and tagged as wontfix, 
>> then I'd noticed it when making a move now
> Indeed, in hindsight that would have been better.  :( Apologies.
> What really annoys me about this is that other distros do use the real 
> Data::UUID, but I struggled to get a CVE filed - how on earth does one 
> go about it?

Which ones?

Looking for possible patches by others, I checked Fedora but they also 
use OSSP::uuid, apparently.

> The multi-user issue isn't even described in a bug tracker, now that I 
> look at it. There's some sort of UUID_STATE file that can't be 
> overwritten, so I guess the UUIDs become less unique.

perhaps the "state" is not user-specific but system-specific info? 
Purely guessing here: Could be that md5 hash of system name and ip...

Should we perhaps move this discussion somewhere else?  How about 
discussing at bug-Data-UUID at rt.cpan.org with subject line prefixed with 
"Re: [rt.cpan.org #69277] " ;-)

 - Jonas

 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130722/c2109c28/attachment-0001.sig>

More information about the Freedombox-discuss mailing list