Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:23369
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
	b=h9lz7E6zjUwAZVDa0hnns9s7ReREMUvV49pDmTTsGljE9N3PGdcmo7aYJrMsBNbcMpsRAHfVWZMy3ii1JZ2dtNPoHaTtecSoo4AG5oXQUMZKnwtx0gnHgsb+pcVRby/PC/6VYPDcMHuuAgierNHU8HWh64fz9mJ7JToxax+COAA=
In-Reply-To: <4468848D.5020602@php.net>
References: <4468848D.5020602@php.net>
Mime-Version: 1.0 (Apple Message framework v750)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <9854F2DC-4DD8-46E7-863F-3B4FF2327C49@prohost.org>
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: 7bit
Date: Mon, 15 May 2006 11:36:30 -0400
To: Stefan Esser <sesser@php.net>
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] PHP Release Process Sucks
From: ilia@prohost.org (Ilia Alshanetsky)


On 15-May-06, at 9:39 AM, Stefan Esser wrote:

> Hello,
>
> okay, mistakes happen everyday but it really sucks that PHP.net
> continues trying to hide mistakes.
>
> 1) PHP 5.1.4 was released with a nonsense announcement claiming that
> there was only a problem with POST arrays or POST fileuploads.
>     -> In reality a paid Zend developer had destroyed the handling of
> arrays in any kind of user input in PHP 5.1.3 completely. Ironically
> after that incident another Zend man came forward and dares to say "I
> don't trust our core testers anymore"

That is what the bug reports that appeared in relation to the problem  
were complaining about, the announcement was tailored to address  
issues raised by those people.

> 2) PHP 5.1.4 was lacking the PEAR installer which resulted in make
> install downloading the file from the web.
>     a) this part should be removed from the make file completlely
> because 'make install' is usually executed as root and under no
> circumstances should download a file from an insecure HTTP source.

We didn't have an automated process for including PEAR's phar file  
in, it is now part of the release generation script. As far as  
automated download, for full releases this will not be necessary in  
the future as it will be included by default. As far as the phar  
download, I think it either needs to require a confirmation prompt or  
simply not done automatically, either way is fine by me.

>     b) this fact was again hidden by silently replacing the PHP 5.1.4
> tarball with a new one, after the other one was out for more than a  
> week.
>

The code in the release did not change on bit, the only change was  
the inclusion of the missing phar file, this hardly warrants 5.1.5 or  
even 5.1.4pl1. This will have no impact of people who have already  
downloaded and installed PHP, nor will this impact people who have  
yet to download PHP.

> PHP.net is more and more turning into Microsoft (more than 3 months to
> resolve critical security problems). I guess that comes with the
> involvement of Enterprise companies.
>

The patches for security holes are usually in within a week, if you  
want to fetch them you can do so either in a form of a PHP snapshot  
of a specific patch from CVS. To make releases every-time we get  
security fault is impractical. Like most other projects a number of  
security fixes is combined into group and when a group is  
sufficiently large a release is made. None of the bugs resolved were  
super-critical issues such as remote code execution, which would  
indeed warrant something like an emergency release just for that  
particular patch.

Ilia