Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:105637
Return-Path: <phpmailinglists@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 77292 invoked from network); 8 May 2019 09:34:15 -0000
Received: from unknown (HELO mail-oi1-f180.google.com) (209.85.167.180)
  by pb1.pair.com with SMTP; 8 May 2019 09:34:15 -0000
Received: by mail-oi1-f180.google.com with SMTP id k9so14253773oig.9
        for <internals@lists.php.net>; Tue, 07 May 2019 23:38:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=zQm8jfoHGF1fFKdh85vB3rLQy1Xb32YE1Dm+MziCuvk=;
        b=OJ6j+akDdHy13GiJFBaSjuhKcV10AR2t0sKI+FqbYZ5oP++t8y09UpTK6PDg7Ylt+h
         05F8zmBMjocYKi06PBPDsasQBgxR+UnOMeZNzNJUZeXrYbsPSQCa4LeLo2nR3S5kqjGt
         IQJyjvX3V6+gFixdQvJJGYeav9ahk65uLPAMDwI/gAgyABPGfKSGD5+7Yri8YhN+/s4S
         W1q00m6IIF7fbbvhb+p6hzJngbD4322/wipOC2xkLfbPgTJgcyP6r6yQQk8uFnQdgIHD
         33DcUl0HsdV1TDsfux56sdxVNMsY4RlkgIJqVKMHEdg1cCJWfjJbyIJs6wYRr/HhHwUt
         NFvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=zQm8jfoHGF1fFKdh85vB3rLQy1Xb32YE1Dm+MziCuvk=;
        b=k2HGaQ0gq1MDEPoS53hyMGl/R6dNa2D/oeWrcVNuXILWnIubX+hO45luzll0sLfIvA
         SSANCUfbKBK5AKljN2zmTaEnFvQ4HDCy3LaLDGbfoMX946Wf7XZ+4fjfE6lR2I1uwNzo
         gikSbdDRXmONINgMCHZhFlG6O8UGuuwYrk/CLxxknoCeeHp/luiDOVF3KNZy6F3CaY6m
         07nyANW1iJVX7lf+LVOas4sdJKypJmhs4Pl0v/Vjhsa0DmZb1nRlMLTqj8O7/19Z92B7
         smSMI5YEkUsX+osy146fEPQ+S8hD00N0TwQY7tL7F5Zestom+vr+AIO4KE8lxNjmnK9r
         xaWQ==
X-Gm-Message-State: APjAAAWjzLhyLa8baQzBoCP9rpb/qoMRjbF3oO5tcXOZvHYXyb09dp3w
	On0pyGbSHYAPt9NyreBlKhUKBSOV
X-Google-Smtp-Source: APXvYqzpugKg3lZtPmWkgvIodXT6VoM5ae2irm1ar01wyJANRzbG9+s/Z4bTDsmbqmqL/LiTqnRGZA==
X-Received: by 2002:aca:5a07:: with SMTP id o7mr1150394oib.114.1557297499570;
        Tue, 07 May 2019 23:38:19 -0700 (PDT)
Received: from mail-ot1-f46.google.com (mail-ot1-f46.google.com. [209.85.210.46])
        by smtp.gmail.com with ESMTPSA id y129sm7046183oig.27.2019.05.07.23.38.18
        for <internals@lists.php.net>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 07 May 2019 23:38:18 -0700 (PDT)
Received: by mail-ot1-f46.google.com with SMTP id i8so7643083oth.10
        for <internals@lists.php.net>; Tue, 07 May 2019 23:38:18 -0700 (PDT)
X-Received: by 2002:a05:6830:1115:: with SMTP id w21mr25477944otq.179.1557297498307;
 Tue, 07 May 2019 23:38:18 -0700 (PDT)
MIME-Version: 1.0
References: <CAF+90c-4-R4SYY_AAL679ZYBn2QAZTYAGXH6E6Bz1hYGN=MFcA@mail.gmail.com>
 <5ac2a666-61e3-877b-6c4d-6b4b78996c91@gmail.com>
In-Reply-To: <5ac2a666-61e3-877b-6c4d-6b4b78996c91@gmail.com>
Date: Wed, 8 May 2019 07:37:42 +0100
X-Gmail-Original-Message-ID: <CAJvSBVP41NRu+52f96Cjqjten9HesdeCtsgY_csf746yFPNS2w@mail.gmail.com>
Message-ID: <CAJvSBVP41NRu+52f96Cjqjten9HesdeCtsgY_csf746yFPNS2w@mail.gmail.com>
To: Stanislav Malyshev <smalyshev@gmail.com>
Cc: Nikita Popov <nikita.ppv@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000325a2e05885a9460"
Subject: Re: [PHP-DEV] open_basedir?
From: phpmailinglists@gmail.com (Peter Bowyer)

--000000000000325a2e05885a9460
Content-Type: text/plain; charset="UTF-8"

On Tue, 7 May 2019 at 20:05, Stanislav Malyshev <smalyshev@gmail.com> wrote:

> So before just swinging the ax and dropping it I think we should really
> research what people are actually using open_basedir for. And then try
> to formulate a proper description of what it can be used for without
> claiming any security guarantees we could not deliver.
>

Yes.


> In general, I think we should slow down a bit (actually, a lot) with
> removing things from PHP. We've already accumulated a lot of BC baggage
> here, and if we want PHP 8 to become the version of PHP that an average
> developer can target without hearing "yeah, we're planning to upgrade
> sometimes in the next 2-3 years, probably, maybe", then we should slow
> down with the removals.
>
> PHP 7 had rather short list of removing things, and most of them very
> marginally used. And that IMHO worked well. Here we're talking about
> things that are used - on my estimation - much more widely. open_basedir
> particularly is not that bad in this regard, because likely no app
> critically depends on it being there - so it's more of a generic comment
> about what I am seeing on the lists nowdays, where tons of removals and
> global overhauls with enormous BC costs are proposed.
>

I agree with Stas.

I support a campaign of education by doing Nikita's a) & b), with the
addition of:

c) highlighting the performance impact (particularly if it can be
quantified)
d) updating the PHP.ini comment to say it is not recommended to enable,
with details of a) b) & c)
https://github.com/php/php-src/blob/master/php.ini-development#L295-L300

I will vote against removing if it comes to a vote.

Peter

--000000000000325a2e05885a9460--