Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:103602
Return-Path: <chasepeeler@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93522 invoked from network); 13 Dec 2018 19:11:43 -0000
Received: from unknown (HELO mail-lj1-f170.google.com) (209.85.208.170)
  by pb1.pair.com with SMTP; 13 Dec 2018 19:11:43 -0000
Received: by mail-lj1-f170.google.com with SMTP id t9-v6so2161242ljh.6
        for <internals@lists.php.net>; Thu, 13 Dec 2018 07:39:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=FvxDt98VUaqLMnKVUmxa5aLR/UbLwGguoeisoL+djSs=;
        b=peiX5EQBApO6dhT5VhXnbnqBw1xn9ZZdOTL7E3Jk65Qmfpp90Mbi/3P9Ug2G2e4T9/
         ak8dMMF/juGd9q6wxsCBTebPkcGr6PLiPAVkI7emdvdakXY+HmdYAF2XHhlVmuBGT3nE
         qx5uuoLnh4l3giIuFFjqZ0cPiKaH6gZZ6zuIwXwoMCVO/Tqy9BdQc20IZGS9su0CACPm
         Cb31YFMDBBCcsaJS7jNz6mDG4ao/4vTZFqTmzHNMoasJcP1vLWnJ+4CPNFbj7VRLWTxk
         ORax1nwTXk/PM+uy9Z65/2pUabdtg44qeFT/5zMNHbjrMW7M10GBTgvjTy60NB581soB
         BcPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=FvxDt98VUaqLMnKVUmxa5aLR/UbLwGguoeisoL+djSs=;
        b=agGHefjAGUPaijnNJ84ut68JoI56v+OcN/x0YnN0zLtLWEse9beXKGXx86Ua6iEV2t
         0s58nHzGDx5lLtZv6lIzRfuZFmxbGgoDg+Ehdu4dOGm3+t2lpW31TZo1Renz9z/L5x77
         g1rEkWgk1+e1V9YatYUHXgV0vMHAcDjSlW6+t/YyujlIoDPge3a38exi16sbQUBXhlND
         yAwzHDYTTMixD4XQAxlo0eh05KNs14mxGZf77sDJ3s5vnEyNlwcWhgP4o+34EAbT5nNZ
         kfQPgYy/di5xPHVtnVrGsMcKdxlKwUXTcZ14SjIZaC8TKepYkzl0FzBiAnFYwd77inPN
         lr8w==
X-Gm-Message-State: AA+aEWbKLjeJMJ7RBTwX8kRT4fVqfYOU8nQwXHkaa/jo5ZRZmjmLT0Ge
	rQ63Aqfwo1jUM8Lv+IuxL2Ll9dA4QC1ws9K7Hdo=
X-Google-Smtp-Source: AFSGD/US322PnkEqORpq4ow3Yid0Fj3vlZS9c1g3Ed6+2J7PbprKFmT/Ukp5sMYOJC86+9n2b8i/P6sKwCBETbx/5to=
X-Received: by 2002:a2e:5703:: with SMTP id l3-v6mr16455013ljb.106.1544715562431;
 Thu, 13 Dec 2018 07:39:22 -0800 (PST)
MIME-Version: 1.0
References: <BY1PR02MB126022AD4151506F6486D6A7BFA90@BY1PR02MB1260.namprd02.prod.outlook.com>
 <CAESVnVoPensNBBymLAEbqJ4PTDXKKwqBYLB9=ZkJU83CnXXZMA@mail.gmail.com> <HE1PR05MB4665C9B5A6CBA44F6A06C527BAA70@HE1PR05MB4665.eurprd05.prod.outlook.com>
In-Reply-To: <HE1PR05MB4665C9B5A6CBA44F6A06C527BAA70@HE1PR05MB4665.eurprd05.prod.outlook.com>
Date: Thu, 13 Dec 2018 10:39:10 -0500
Message-ID: <CAPKYkKxc7DS5o0RtT7CnOJOTHPOOnm_6mMUCRwr5CsJXQo4rZw@mail.gmail.com>
To: Anatol Belski <ab@php.net>
Cc: Sara Golemon <pollita@php.net>, Dmitry Stogov <dmitry@zend.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="00000000000060c31a057ce91e61"
Subject: Re: [PHP-DEV] [RFC] FFI - Foreign Function Interface
From: chasepeeler@gmail.com (Chase Peeler)

--00000000000060c31a057ce91e61
Content-Type: text/plain; charset="UTF-8"

On Wed, Dec 12, 2018 at 11:15 AM Anatol Belski <ab@php.net> wrote:

> Hi Sara,
>
> > -----Original Message-----
> > From: Sara Golemon <pollita@php.net>
> > Sent: Tuesday, December 11, 2018 5:20 PM
> > To: Dmitry Stogov <dmitry@zend.com>
> > Cc: PHP internals <internals@lists.php.net>
> > Subject: Re: [PHP-DEV] [RFC] FFI - Foreign Function Interface
> >
> > I'm not super enthused by having "ffi.enable=true" even be an option, to
> be
> > quite honest.  For CLI, sure but the damage that can be wrought from a
> web
> > server exposed to the internet is non-trivial.  And I'm also going to
> let my
> > prejudice show: I don't trust someone who doesn't know how to write an
> > extension in C to use FFI.  Heck, I've seen some extensions that make me
> > wince pretty hard, but at least there I feel like they've had to do
> something
> > more thoughtful than copy-paste an example from stack overflow and
> > change a name or two without any concern for how an unmanaged language
> > works.
> >
> IMO ffi.enable=true by default is ok. Clearly there's a concern about the
> web server usage. However, to give a parallel, there's a lot modules like
> numpy in Python using ctypes and ffi and they're usable with say Django. It
> is all a consideration of stability and QA. Developing a module with ffi
> will likely require a C debugger to be at hand :) If someone copy-paste ffi
> code into their production without an appropriate QA, well - there's
> probably no method that could be ever invented to protect against such
> practice. One can actually tell same about pure PHP code, that is used
> without appropriate testing. Otherwise, given there were established
> modules based on FFI, that are installed a responsible way, having more
> hurdles than needed were probably a surplus. Hosting providers and other
> parties would be able to figure best secure ways to handle this for their
> customers anyway.
>
> Regards
>
> Anatol
>

My feeling has always been that we shouldn't keep powerful features from
good developers because other developers might create poor applications/use
it incorrectly.
-- 
-- Chase
chasepeeler@gmail.com

--00000000000060c31a057ce91e61--