Strawberry Perl Update

[obetz]

We bundle ExifTool as part of our application that we distribute to our customers.

Then you might consider to bundle also a Perl version of your choice.

Or at least telling me which version you would prefer - see the limitations listed above.

[obetz]

I'm using Image-ExifTool (the package, not the executable) and Perl 5.36 from ActiveState. No glitches and good customer support (even though I'm on a free plan).

I failed to understand the ActiveState EULA, it seemed to be rather restrictive.

[aerk]

There doesn't seem to be any open CVEs for 5.38.2 or above. So either that or a newer version would work fine.

We only use the x64 version so it would be okay if the x86 is left as is or updated to another version.

[obetz]

There doesn't seem to be any open CVEs for 5.38.2 or above. So either that or a newer version would work fine.

So you would accept the risk expressed in the comment "same compiler toolchain as version 5.38.0.1 so will have the same UTF-8 locale issues"?

[aerk]

I do not know how that impacts ExifTool so it is very difficult for me to answer.

[Phil Harvey]

I can't answer that either.

- Phil

[obetz]

So let me summarize:

• The status of Strawberry Perl releases is unclear.
• The licensing of ActiveState Perl is unclear, I don't dare to use it in a package.
• Any change has a risk of breaking something, for example trading "no CVE listed" for "UTF-8 locale issues".
• Perl 5.40 is still quite new. The fact that no CVE is listed does not mean that there is no vulnerability, it could just be unknown.

I would like the two requesters to weigh up the consequences well, taking into account that the new version must be useful for the general public and cannot address their specific requirements, and then make me a suggestion as to which Perl versions meet these requirements.