[Freedombox-discuss] secure UUIDs
Jonas Smedegaard
dr at jones.dk
Mon Jul 22 11:18:49 UTC 2013
Quoting Tim Retout (2013-07-22 12:30:57)
> On 22 Jul 2013 10:48, "Jonas Smedegaard" <[1]dr at jones.dk> wrote:
>> Arrgh...!
>>
>> You just educated me to inspect bugtrackers more closely: Perhaps if
>> you'd not closed the Debian bug but left open and tagged as wontfix,
>> then I'd noticed it when making a move now
>
> Indeed, in hindsight that would have been better. :( Apologies.
>
> What really annoys me about this is that other distros do use the real
> Data::UUID, but I struggled to get a CVE filed - how on earth does one
> go about it?
Which ones?
Looking for possible patches by others, I checked Fedora but they also
use OSSP::uuid, apparently.
> The multi-user issue isn't even described in a bug tracker, now that I
> look at it. There's some sort of UUID_STATE file that can't be
> overwritten, so I guess the UUIDs become less unique.
perhaps the "state" is not user-specific but system-specific info?
Purely guessing here: Could be that md5 hash of system name and ip...
Should we perhaps move this discussion somewhere else? How about
discussing at bug-Data-UUID at rt.cpan.org with subject line prefixed with
"Re: [rt.cpan.org #69277] " ;-)
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20130722/c2109c28/attachment-0001.sig>
More information about the Freedombox-discuss
mailing list