Hi Gregor, On Mon, Mar 16, 2020 at 9:35 AM gregor herrmann <gre...@debian.org> wrote: > > (Taking a random instance of the identical mass bug filing.)
Many are very similar, but not all are identical. > - Is is realistic to patch dozens of upstream files? > - Should the default be changed in HTTP::Tiny? (In src:perl and in > libhttp-tiny-perl) In Debian (or better upstream though the latter > might be difficult given the texts you quote.) I pursued that route originally (although not exhaustively). HTTP::Tiny is apparently used in a lot of tests, which would have to be modified. Also, the module ships as part of Perl core. In October of last year, I raised the issue with Debian's security team and received the following reply from Moritz Mühlenhoff, whom I copied (to avoid talking about people not present). Paul Wise was also party to the original exchange; he was likewise copied: > It's not an acceptable default if one would create it from scratch today, > but I can see their point wrt avoiding to change the default in retrospect > on a widely installed base. Python made a similar change in 3.x which was > backported to 2.7 with notable fallout. > But that doesn't mean that we shouldn't review/change the setting > as used by reverse dependencies in the archive, I suggest to file > bugs with severity important for any reverse dependency of the module > which doesn't have it enabled. > The maintainers can then assess impact for their respective packages > and adjust it for bullseye as they see fit (and add a NEWS for high > profile cases. As you can see, I am implementing a recommendation I received some time ago from Debian's security team. Sorry about all the filings. Another five may follow. Kind regards Felix Lechner