|
Message-ID: <d98ab3d26a1aeffb7542ba96b4bb73a5761b052e.camel@orlitzky.com> Date: Wed, 03 May 2023 17:55:13 -0400 From: Michael Orlitzky <michael@...itzky.com> To: oss-security@...ts.openwall.com Subject: Re: Perl's HTTP::Tiny has insecure TLS cert default, affecting CPAN.pm and other modules On Wed, 2023-05-03 at 22:40 +0200, Moritz Bechler wrote: > > while one may criticize that CVEs have been assigned both for the > insecure default and (some of the) insecure usages, at least one of > these is a legitimate case, in terms of CVEs likely the latter. And when > it comes to defaming projects, at least in my book, choosing, keeping > and defending bad defaults speaks to much more than a CVE being assigned. They're both bad defaults. One explicitly does no authentication, while the other uses a corrupt and misunderstood process that can create a false sense of security. We disagree on which is worse, but neither viewpoint is ludicrous.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.