Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:33347
Return-Path: <dz@bitxtender.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 83338 invoked by uid 1010); 20 Nov 2007 00:33:45 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 83323 invoked from network); 20 Nov 2007 00:33:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Nov 2007 00:33:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=dz@bitxtender.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=dz@bitxtender.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain bitxtender.com from 80.237.132.12 cause and error)
X-PHP-List-Original-Sender: dz@bitxtender.com
X-Host-Fingerprint: 80.237.132.12 wp005.webpack.hosteurope.de  
Received: from [80.237.132.12] ([80.237.132.12:37908] helo=wp005.webpack.hosteurope.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2C/96-50425-86B22474 for <internals@lists.php.net>; Mon, 19 Nov 2007 19:33:44 -0500
Received: from dslb-084-056-021-028.pools.arcor-ip.net ([84.56.21.28] helo=localhost); authenticated
	by wp005.webpack.hosteurope.de running ExIM  using esmtpsa (TLSv1:RC4-SHA:128)
	id 1IuH3d-0008R1-M3; Tue, 20 Nov 2007 01:33:41 +0100
Cc: PHP Developers Mailing List <internals@lists.php.net>
Message-ID: <12BB8F82-A74B-467B-9023-5D2DA2E45314@bitxtender.com>
To: Lukas Kahwe Smith <mls@pooteeweet.org>
In-Reply-To: <D9B53396-3E81-4B2C-8A6B-43091C999803@pooteeweet.org>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v915)
Date: Tue, 20 Nov 2007 01:33:40 +0100
References: <47401946.2050406@sektioneins.de> <fbb0d11d0711181217q4832c62ev7966ac9e98b900b9@mail.gmail.com> <4740B136.2080207@hardened-php.net> <4217C4AB-1725-4D54-95D0-82262DB012BC@pooteeweet.org> <21E0FBBA-645D-4883-A9A9-7BCDC74D74A1@bitxtender.com> <D9B53396-3E81-4B2C-8A6B-43091C999803@pooteeweet.org>
X-Mailer: Apple Mail (2.915)
X-bounce-key: webpack.hosteurope.de;dz@bitxtender.com;1195518824;fb139c77;
Subject: Re: [PHP-DEV] Tainted Mode Decision
From: dz@bitxtender.com (=?ISO-8859-1?Q?David_Z=FClke?=)

>> Yes, that is exactly the way to go. To quote Yoda (and he would  
>> know): "Do, or do not. There is no try.". Or, in contemporary  
>> words: do things 100% properly, but if that is not possible, take a  
>> step back and spare the world some half arsed attempt.
>
> This makes no sense to me. There is nothing like 100% secure as long  
> as you dont pull the plug on the entire application. The only secure  
> application is one that hasnt been deployed anywhere. So the  
> question boils down to more "does this increase security  
> sufficiently to make the draw backs acceptable".

And the answer is "no" ;) That's my point! Because one of the  
drawbacks is that it won't cut down the number of dumb ignorants who  
don't care about that stuff. Why would they, "teh PHP is making things  
hax0r proof now" after all.


David