Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:42157
Return-Path: <hannes.magnusson@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 17933 invoked from network); 8 Dec 2008 16:18:47 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Dec 2008 16:18:47 -0000
Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass; domainkeys=bad
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.128.191 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: hannes.magnusson@gmail.com
X-Host-Fingerprint: 209.85.128.191 fk-out-0910.google.com  
Received: from [209.85.128.191] ([209.85.128.191:60492] helo=fk-out-0910.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 8A/F5-21579-4E84D394 for <internals@lists.php.net>; Mon, 08 Dec 2008 11:18:46 -0500
Received: by fk-out-0910.google.com with SMTP id 18so1354500fks.7
        for <internals@lists.php.net>; Mon, 08 Dec 2008 08:18:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:received:received:message-id:date:from:sender
         :to:subject:cc:in-reply-to:mime-version:content-type
         :content-transfer-encoding:content-disposition:references
         :x-google-sender-auth;
        bh=5ipvzQNOicpXpqGUqDMnbgwtmin6n4wERRE44XOkko4=;
        b=RmqrjbVmv47wQCdzo048DreVuBM6eEZEb/ULoE7EFToJE6SpuQe8kT4EGh8qpgjIDE
         98E81dDDbl3te21jmM6rR3c5VSJQnxhasBFI0MQoi8qxtDMgChfHm0707haK43YKR+S/
         oKD58KmCs8X35JWUmKtV+EQagBN5jsjsXP94o=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version
         :content-type:content-transfer-encoding:content-disposition
         :references:x-google-sender-auth;
        b=BSRn/30jn9b9Thtk11pv6XrvYdz9oevazA6vk4BntQ5LU9vs7lsDAityVVcPL8H2pe
         cwc+9aXgUnY/NAx/Z3ZLHE5yQTYumbIlCi4vtLs0+MwwzFN0637XAtc+hCTifQ5XMVS5
         xRHMBDIxSYRZkMoYsSygdC9LppG8YikKkxo+s=
Received: by 10.181.223.2 with SMTP id a2mr1275160bkr.184.1228753121514;
        Mon, 08 Dec 2008 08:18:41 -0800 (PST)
Received: by 10.181.62.11 with HTTP; Mon, 8 Dec 2008 08:18:41 -0800 (PST)
Message-ID: <7f3ed2c30812080818x6a29709bgcfc894b2a225b9b6@mail.gmail.com>
Date: Mon, 8 Dec 2008 17:18:41 +0100
Sender: hannes.magnusson@gmail.com
To: "Pierre Joye" <pierre.php@gmail.com>
Cc: "=?ISO-8859-1?Q?Johannes_Schl=FCter?=" <johannes@php.net>, 
	"PHP Internals List" <internals@lists.php.net>
In-Reply-To: <fe05d1540812080757r417038d0ib768cbd8990be228@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <1228751251.3429.18.camel@goldfinger.johannes.nop>
	 <fe05d1540812080757r417038d0ib768cbd8990be228@mail.gmail.com>
X-Google-Sender-Auth: 8486556988f48c3d
Subject: Re: [PHP-DEV] About dropping magic_quotes in 5.3 (was: Re: [PHP-DEV] Re: PHP 5.2.7 + magic_quotes_gpc broken)
From: bjori@php.net ("Hannes Magnusson")

On Mon, Dec 8, 2008 at 16:57, Pierre Joye <pierre.php@gmail.com> wrote:
> On Mon, Dec 8, 2008 at 4:47 PM, Johannes Schl=FCter <johannes@php.net> wr=
ote:
>>
>> When dropping magic_quotes the hosting company can do one of two things:
>>
>> a) not update to 5.3 so we either have to maintain 5.2 for some time or
>> let them have problems
>
> +1

We cannot simply nuke a feature that was once upon a time sold as a
security feature, and is still enabled by default, just "out of the
blue".



> I already discussed the possibility to maintain the 5.2 branch after
> 5.3-final (irc and some meetings) and I like to do it (in any case). I
> do think it is something to do but only for critical bug fixes
> (security or crash only).

Of course should we continue to do security releases for "previous
minor releases" until the "new one" is up to .2 or .3 at least.


> We may say that it is the job of the distributors, but I'd to
> disagree. It is critical for us to provide sources and binary releases
> of a stable branch officially, even after a newer branch has been
> released.

How are distributions supposed to keep up to date with security fixes
anyway? The only distro that has a chance is RHEL because they have an
"inside guy".
We really need to work on our relationship with other distros,
starting with marking security fixes as security fixes.

-Hannes