Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27381
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.172 as permitted sender)
DomainKey-Status: bad
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=WNkeo0hnHl4LwfahYtwqqnGjj7JWnkirSDVkoHsdzvJOdbLEqRi5fs5hyy2cnWZYkC9RuBa8u+fwIa4s5K1lbandO4+ELWPmoTn9mI5VZU0WC5UADU7gFK/fg9LbYcxz78ckJtMflQoZTmvNOvkXoXH/TPBJr99XDrxuRHSMuAg=
Message-ID: <61504d990701111135o37485758mabca52950654d624@mail.gmail.com>
Date: Thu, 11 Jan 2007 11:35:13 -0800
To: "Ilia Alshanetsky" <ilia@prohost.org>
Cc: internals@lists.php.net
In-Reply-To: <832D0C38-27FF-4ACA-9942-77F0F5E88C0C@prohost.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070111144144.GV15998@mint.phcomp.co.uk>
	 <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net>
	 <45A67E74.1080904@zend.com> <45A6891E.8070302@hardened-php.net>
	 <61504d990701111123t2ea8627cs829cd37f996ee3af@mail.gmail.com>
	 <832D0C38-27FF-4ACA-9942-77F0F5E88C0C@prohost.org>
Subject: Re: [PHP-DEV] Comments on PHP security
From: jordanryanmoore@gmail.com ("Jordan Moore")

That was my intent when I joined the list. I wanted to get a feel for
the community and the development process. This is the first
open-source project that I've considered contributing to, so it's all
new to me. I still plan to dive into it, but it's disheartening to see
some of these petty arguments. That is all...

Jordan

On 1/11/07, Ilia Alshanetsky <ilia@prohost.org> wrote:
> Rather then commenting on what other people should and should not do,
> do something productive like fix bugs or help to extend the PHP test
> suit.
>
> On 11-Jan-07, at 2:23 PM, Jordan Moore wrote:
>
> > This is pathetic. I thought most of you were adults, but I really
> > can't tell sometimes.
> >
> > Why can't this be discussed without everyone getting upset and
> > snapping at each other? The biggest problem with PHP right now is how
> > thick-headed and cocky some of the posters to this list are. Grow up,
> > and then maybe PHP will have a chance to grow up.
> >
> > It's only taken a couple months to realize how much time is wasted on
> > political crap on this list instead of bug-fixing.
> >
> > On 1/11/07, Stefan Esser <sesser@hardened-php.net> wrote:
> >>
> >> > I wonder what do you mean by that - that PHP group should publish
> >> > press release "PHP is not secure, please do not use it anymore" or
> >> > what? I see PHP group is working quite well eliminating the
> >> security
> >> > issues. As far as I know, last year there was 7 remotely
> >> exploitable
> >> > issues in PHP (which is regrettable but that's the way of life
> >> to have
> >> > bugs), and all of them are fixed, IIRC, and within acceptable
> >> > timeframe (the last can be debatable, but PHP being opesource
> >> project
> >> > the only way to fix it is to get more participation from people in
> >> > submitting patches). I know of no remotely exploitable security
> >> issue
> >> > that is now in current PHP version.
> >> > So I wonder what would you like PHP Group to improve? What would
> >> you
> >> > mean by facing reality - what in your opinion the reality is and
> >> what
> >> > would you have PHP group to do to satisfy you on facing reality
> >> account?
> >> First of all PHP group is doing nothing. Neither do they improve
> >> PHP's
> >> security nor do they stop well known PHP license abusers (because
> >> they
> >> are friends).
> >> Secondly security patches are done by Ilia and maybe the Zend
> >> stuff by
> >> Dmitry. All the others are doing nothing in the sense of security.
> >>
> >> And do I need to remind you about a certain bug in the new super
> >> duper
> >> Zend Memory manager that results in a far too small buffer being
> >> allocated?
> >>
> >> Do I need to post an exploit that uses this bug to exploit for
> >> example
> >> the Soap HTTP client from ext/soap? This is a kind of remote exploit
> >> against PHP. And god knows how many other places are vulnerable
> >> because
> >> of the new "improved" Zend Memory Manager.
> >>
> >> And what about the heap underflow bug in ext/filter... Also not a
> >> remote
> >> exploit?
> >>
> >> The fact that you do not know about any remote exploit against PHP is
> >> quite irrelevant for reality.
> >>
> >> Stefan Esser
> >>
> >> --
> >> PHP Internals - PHP Runtime Development Mailing List
> >> To unsubscribe, visit: http://www.php.net/unsub.php
> >>
> >>
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
>
> Ilia Alshanetsky
>
>
>
>
>


-- 
Jordan Moore - Creative Director
Sanctus Studios LLC
http://sanctusstudios.com
(360) 616-4818