Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:23370 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92576 invoked by uid 1010); 15 May 2006 15:51:06 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 92560 invoked from network); 15 May 2006 15:51:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 May 2006 15:51:05 -0000 X-PHP-List-Original-Sender: sesser@php.net X-Host-Fingerprint: 81.169.145.170 natlemon.rzone.de Solaris 10 (beta) Received: from ([81.169.145.170:51651] helo=natlemon.rzone.de) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 49/8E-19568-963A8644 for ; Mon, 15 May 2006 11:51:05 -0400 Received: from [192.168.1.77] (p50874525.dip.t-dialin.net [80.135.69.37]) by post.webmailer.de (8.13.6/8.13.6) with ESMTP id k4FFovR1026005; Mon, 15 May 2006 17:51:00 +0200 (MEST) Message-ID: <4468A360.5050609@php.net> Date: Mon, 15 May 2006 17:50:56 +0200 User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Ilia Alshanetsky , PHP internals References: <4468848D.5020602@php.net> <9854F2DC-4DD8-46E7-863F-3B4FF2327C49@prohost.org> In-Reply-To: <9854F2DC-4DD8-46E7-863F-3B4FF2327C49@prohost.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] PHP Release Process Sucks From: sesser@php.net (Stefan Esser) Hey, > > The code in the release did not change on bit, the only change was the > inclusion of the missing phar file, this hardly warrants 5.1.5 or even > 5.1.4pl1. This will have no impact of people who have already > downloaded and installed PHP, nor will this impact people who have yet > to download PHP. > It will have an effect on everyone using f.e. gentoo linux or BSD port system, because mysteriously the hash of the tarball changed and people will get warnings about modified tarballs. It also has the effect that I am getting emails from people asking me if PHP.net was backdoored, because the MD5 hash changed.... And if you want to change tarballs and don't change the version number (which is considered very bad by many people) then atleast WARN people about the modified tarball. A simple message: tarball was missing PEAR and was therefore rerolled is not so bad... > The patches for security holes are usually in within a week, if you > want to fetch them you can do so either in a form of a PHP snapshot of > a specific patch from CVS. To make releases every-time we get security > fault is impractical. First the zend_hash_del() bug caused remote code execution in a bunch of popular PHP scripts. Secondly most open source projects release security bugfix releases. PHP.net on the other hand doesn't do this anymore. There are no security only fixes anymore. Instead we release not properly tested new versions of PHP that break tons of servers. (fastcgi ....) And well... I still see no PHP 4.4.3 on PHP.net... However we still offer the PHP 4.4.2 tarball (knowing that it has critical security holes). So either we release a security FIX release or we kick the tarball and declare PHP4 unsupported from now on. Yours, Stefan Esser