Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27377 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60487 invoked by uid 1010); 11 Jan 2007 18:14:26 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 60472 invoked from network); 11 Jan 2007 18:14:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 11 Jan 2007 18:14:26 -0000 Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4) Received: from [212.25.124.162] ([212.25.124.162:59934] helo=mail.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3C/17-15642-08E76A54 for ; Thu, 11 Jan 2007 13:14:26 -0500 Received: (qmail 8657 invoked from network); 11 Jan 2007 18:12:43 -0000 Received: from office.zend.office (HELO ?127.0.0.1?) (192.168.16.109) by internal.zend.office with SMTP; 11 Jan 2007 18:12:43 -0000 Message-ID: <45A67E74.1080904@zend.com> Date: Thu, 11 Jan 2007 10:14:12 -0800 Organization: Zend Technologies User-Agent: Thunderbird 2.0b1 (Windows/20061206) MIME-Version: 1.0 To: Stefan Esser CC: internals@lists.php.net References: <20070111144144.GV15998@mint.phcomp.co.uk> <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net> In-Reply-To: <45A6600D.1090500@hardened-php.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Comments on PHP security From: stas@zend.com (Stanislav Malyshev) > PS: Stop the "We are secure" marketing and face reality I wonder what do you mean by that - that PHP group should publish press release "PHP is not secure, please do not use it anymore" or what? I see PHP group is working quite well eliminating the security issues. As far as I know, last year there was 7 remotely exploitable issues in PHP (which is regrettable but that's the way of life to have bugs), and all of them are fixed, IIRC, and within acceptable timeframe (the last can be debatable, but PHP being opesource project the only way to fix it is to get more participation from people in submitting patches). I know of no remotely exploitable security issue that is now in current PHP version. So I wonder what would you like PHP Group to improve? What would you mean by facing reality - what in your opinion the reality is and what would you have PHP group to do to satisfy you on facing reality account? -- Stanislav Malyshev, Zend Products Engineer stas@zend.com http://www.zend.com/