Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:23367
Return-Path: <sesser@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3135 invoked by uid 1010); 15 May 2006 13:39:37 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 3120 invoked from network); 15 May 2006 13:39:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 15 May 2006 13:39:37 -0000
X-PHP-List-Original-Sender: sesser@php.net
X-Host-Fingerprint: 81.169.145.179 natipslore.rzone.de Solaris 10 (beta)
Received: from ([81.169.145.179:62020] helo=natipslore.rzone.de)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id 5D/F0-19568-89488644 for <internals@lists.php.net>; Mon, 15 May 2006 09:39:36 -0400
Received: from [192.168.1.77] (p50874525.dip.t-dialin.net [80.135.69.37])
	by post.webmailer.de (8.13.6/8.13.6) with ESMTP id k4FDdUi8001610
	for <internals@lists.php.net>; Mon, 15 May 2006 15:39:31 +0200 (MEST)
Message-ID: <4468848D.5020602@php.net>
Date: Mon, 15 May 2006 15:39:25 +0200
User-Agent: Thunderbird 1.5.0.2 (Windows/20060308)
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
Subject: PHP Release Process Sucks
From: sesser@php.net (Stefan Esser)

Hello,

okay, mistakes happen everyday but it really sucks that PHP.net
continues trying to hide mistakes.

1) PHP 5.1.4 was released with a nonsense announcement claiming that
there was only a problem with POST arrays or POST fileuploads.
    -> In reality a paid Zend developer had destroyed the handling of
arrays in any kind of user input in PHP 5.1.3 completely. Ironically
after that incident another Zend man came forward and dares to say "I
don't trust our core testers anymore"
2) PHP 5.1.4 was lacking the PEAR installer which resulted in make
install downloading the file from the web.
    a) this part should be removed from the make file completlely
because 'make install' is usually executed as root and under no
circumstances should download a file from an insecure HTTP source.
    b) this fact was again hidden by silently replacing the PHP 5.1.4
tarball with a new one, after the other one was out for more than a week.

PHP.net is more and more turning into Microsoft (more than 3 months to
resolve critical security problems). I guess that comes with the
involvement of Enterprise companies.

Yours,
Stefan Esser