Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:72116 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28602 invoked from network); 3 Feb 2014 20:35:03 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2014 20:35:03 -0000 Authentication-Results: pb1.pair.com smtp.mail=swhitemanlistens-software@cypressintegrated.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=swhitemanlistens-software@cypressintegrated.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain cypressintegrated.com designates 173.1.104.101 as permitted sender) X-PHP-List-Original-Sender: swhitemanlistens-software@cypressintegrated.com X-Host-Fingerprint: 173.1.104.101 rproxy2-b-iv.figureone.com Received: from [173.1.104.101] ([173.1.104.101:50205] helo=rproxy2-b-iv.figureone.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2A/51-35654-67DFFE25 for ; Mon, 03 Feb 2014 15:35:02 -0500 Received: from bad.dop.co ([108.12.130.219]) by rproxy2-b-iv.figureone.com (Brand New Heavy v1.0) with ASMTP id PWL13657 for ; Mon, 03 Feb 2014 12:34:57 -0800 Date: Mon, 3 Feb 2014 15:34:38 -0500 Reply-To: Sanford Whiteman X-Priority: 3 (Normal) Message-ID: <613985397.20140203153438@cypressintegrated.com> To: Daniel Lowrey In-Reply-To: References: <344075933.20140203143339@figureone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: Windows Peer Verification From: swhitemanlistens-software@cypressintegrated.com (Sanford Whiteman) > No one is arguing against ease-of use here. PHP users may now need to have write access to PHP.INI in order to not get logs filled with security warnings, for the same code that previously did not issue a warning. Or else they need to change all outbound stream code, which in many cases isn't even theirs to safely change. This isn't ease-of-use. This is hardening security at the cost of ease-of-use for some users. We must call it what it is. > Have you read the relevant RFCs? I was the one who told you the Peer Verification RFC would break the official WPI package (break == E_WARNING without end) and nobody cared then. Now it's like a minor after-the-fact surprise after the RFC was accepted. This thread itself actually surprised me: I honestly didn't think you cared about the issue at all. Figured the next we'd hear about it would be in WONTFIXes on the bug tracker with directions to download the CA bundle. I'm psyched I got the earlier heads-up on Internals, and I don't worry about our servers because I have full control. Other users don't and you will upset them. I am not saying these changes to PHP are not advisable. They are! But how can you be "befuddled" when you started a thread that notes that Windows users may need to have sysadmin privileges -- else they will be constantly reminded that they don't? > Please just take sixty seconds to at least read this one part then > come back and tell me I'm making it *more difficult* for the average > user to make secure transfers. We will have made it easier for PHP users to either [a] make secure transfers or [b] fill up their logs with warnings The "average" user will fit into [a] per recent PHP statistics (at least on the production side) so yeah, the "average" user will see a major benefit. How many users need to fit into [b] for you to acknowledge that this rollout is going to be less than fully successful -- not a failure, just not an unqualified success -- unless we take those users seriously? > Instantly discounting those is a myopic approach. You can't just > instantly rule out that bundling a file might not be feasible. It's fine to not bundle a file. It's not fine to pretend that warnings will not be endlessly spewed on Windows without a file. It's not fine to suppress these warnings on Windows but not elsewhere. -- S.