Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58479
Return-Path: <glopes@nebm.ist.utl.pt>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 54095 invoked from network); 2 Mar 2012 13:05:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Mar 2012 13:05:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.21 cause and error)
X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt
X-Host-Fingerprint: 193.136.128.21 smtp1.ist.utl.pt Linux 2.6
Received: from [193.136.128.21] ([193.136.128.21:34300] helo=smtp1.ist.utl.pt)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 26/BE-11220-2B5C05F4 for <internals@lists.php.net>; Fri, 02 Mar 2012 08:05:55 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id 4590F70004A5;
	Fri,  2 Mar 2012 13:05:51 +0000 (WET)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt
Received: from smtp1.ist.utl.pt ([127.0.0.1])
	by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025)
	with LMTP id vLz+qwFD6FCz; Fri,  2 Mar 2012 13:05:51 +0000 (WET)
Received: from mail2.ist.utl.pt (mail.ist.utl.pt [IPv6:2001:690:2100:1::8])
	by smtp1.ist.utl.pt (Postfix) with ESMTP id EF88770003C3;
	Fri,  2 Mar 2012 13:05:50 +0000 (WET)
Received: from slws007.slhq.int (a79-168-248-114.cpe.netcabo.pt [79.168.248.114])
	(Authenticated sender: ist155741)
	by mail2.ist.utl.pt (Postfix) with ESMTPSA id 8BF5D2008839;
	Fri,  2 Mar 2012 13:05:50 +0000 (WET)
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: "Pierre Joye" <pierre.php@gmail.com>
Cc: "PHP internals" <internals@lists.php.net>
References: <CAEZPtU7qpMr9ZTX=+NDus05WA2RZ9A3rWNnHSr8WOBXjqbp4VQ@mail.gmail.com> <op.wajnk8ssidpuyk@slws007.slhq.int> <CAEZPtU7R0hgW+7CEzUzu4k+qmjSe7i8xN_pfbkcsHna4Ua76MA@mail.gmail.com>
Date: Fri, 02 Mar 2012 14:05:47 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: =?utf-8?Q?N=C3=BAcleo_de_Eng=2E_Biom=C3=A9di?=
 =?utf-8?Q?ca_do_I=2ES=2ET=2E?=
Message-ID: <op.wajnzxdzidpuyk@slws007.slhq.int>
In-Reply-To: <CAEZPtU7R0hgW+7CEzUzu4k+qmjSe7i8xN_pfbkcsHna4Ua76MA@mail.gmail.com>
User-Agent: Opera Mail/11.61 (Win32)
Subject: Re: [PHP-DEV] [RFC] discussions, about a 5.3 EOL
From: glopes@nebm.ist.utl.pt ("Gustavo Lopes")

On Fri, 02 Mar 2012 14:00:51 +0100, Pierre Joye <pierre.php@gmail.com>  
wrote:

> On Fri, Mar 2, 2012 at 1:56 PM, Gustavo Lopes <glopes@nebm.ist.utl.pt>  
> wrote:
>
>> I'd go with another option:
>>
>> One year of bug fixes, one year of security fixes and bug fixes that are
>> trivial to backport.
>
> Won't work. It is then two years bug fixing.
>
> The idea of security only is to reduce both the amount of work and the
> risk to break it inadvertently.
>
>> The truth is most of the time is less trouble to just merge the fix to
>> oldstable than
>> 1) determine if the bug is possibly exploitable
>> 2) ask the RM for approval
>
> One has to do both anyway already. We have to request CVE for security
> issues and to ask RM for invasive fixes.

Fair enough. Option #1 seems the most appropriate then. The others seem  
too drastic to implement with such short notice.

-- 
Gustavo Lopes