Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33338
Return-Path: <mls@pooteeweet.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 32667 invoked by uid 1010); 19 Nov 2007 22:46:04 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 32650 invoked from network); 19 Nov 2007 22:46:04 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Nov 2007 22:46:04 -0000
Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 85.10.196.195 cause and error)
X-PHP-List-Original-Sender: mls@pooteeweet.org
X-Host-Fingerprint: 85.10.196.195 serveforce1.backendmedia.com Linux 2.6
Received: from [85.10.196.195] ([85.10.196.195:40119] helo=serveforce1.backendmedia.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2C/9E-50425-A2212474 for <internals@lists.php.net>; Mon, 19 Nov 2007 17:46:03 -0500
Received: from [192.168.0.163] (77-57-23-243.dclient.hispeed.ch [77.57.23.243])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(Client did not present a certificate)
	by serveforce1.backendmedia.com (Postfix) with ESMTP id 8FA4912240F5;
	Mon, 19 Nov 2007 23:46:33 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v752.3)
In-Reply-To: <21E0FBBA-645D-4883-A9A9-7BCDC74D74A1@bitxtender.com>
References: <47401946.2050406@sektioneins.de> <fbb0d11d0711181217q4832c62ev7966ac9e98b900b9@mail.gmail.com> <4740B136.2080207@hardened-php.net> <4217C4AB-1725-4D54-95D0-82262DB012BC@pooteeweet.org> <21E0FBBA-645D-4883-A9A9-7BCDC74D74A1@bitxtender.com>
Content-Type: text/plain; charset=ISO-8859-1; delsp=yes; format=flowed
Message-ID: <D9B53396-3E81-4B2C-8A6B-43091C999803@pooteeweet.org>
Content-Transfer-Encoding: quoted-printable
Date: Mon, 19 Nov 2007 23:45:52 +0100
To: =?ISO-8859-1?Q?David_Z=FClke?= <dz@bitxtender.com>,
 PHP Developers Mailing List <internals@lists.php.net>
X-Mailer: Apple Mail (2.752.3)
X-backendmedia-com-MailScanner-Information: Please contact the ISP for more information
X-backendmedia-com-MailScanner: Found to be clean
X-backendmedia-com-MailScanner-SpamCheck: not spam, SpamAssassin (not cached,
	score=0.142, required 6, AWL 0.04, RDNS_DYNAMIC 0.10)
X-backendmedia-com-MailScanner-From: mls@pooteeweet.org
X-Spam-Status: No
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: mls@pooteeweet.org (Lukas Kahwe Smith)


On 19.11.2007, at 21:50, David Z=FClke wrote:

> Am 18.11.2007 um 22:53 schrieb Lukas Kahwe Smith:
>
>> Stefan so what is your point then? Since neither can be 100% =20
>> secure, do not use any? Or just do not bundle either?
>
> Yes, that is exactly the way to go. To quote Yoda (and he would =20
> know): "Do, or do not. There is no try.". Or, in contemporary =20
> words: do things 100% properly, but if that is not possible, take a =20=

> step back and spare the world some half arsed attempt.

This makes no sense to me. There is nothing like 100% secure as long =20
as you dont pull the plug on the entire application. The only secure =20
application is one that hasnt been deployed anywhere. So the question =20=

boils down to more "does this increase security sufficiently to make =20
the draw backs acceptable".

regards,
Lukas=