Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:72406
Return-Path: <lester@lsces.co.uk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 90769 invoked from network); 8 Feb 2014 16:14:36 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 8 Feb 2014 16:14:36 -0000
Authentication-Results: pb1.pair.com header.from=lester@lsces.co.uk; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=lester@lsces.co.uk; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lsces.co.uk from 217.147.176.204 cause and error)
X-PHP-List-Original-Sender: lester@lsces.co.uk
X-Host-Fingerprint: 217.147.176.204 mail4.serversure.net Linux 2.6
Received: from [217.147.176.204] ([217.147.176.204:56280] helo=mail4.serversure.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 38/31-17765-9E756F25 for <internals@lists.php.net>; Sat, 08 Feb 2014 11:14:34 -0500
Received: (qmail 1845 invoked by uid 89); 8 Feb 2014 16:14:30 -0000
Received: by simscan 1.3.1 ppid: 1838, pid: 1842, t: 0.0780s
         scanners: attach: 1.3.1 clamav: 0.96/m:52
Received: from unknown (HELO linux-dev4.lsces.org.uk) (lester@rainbowdigitalmedia.org.uk@81.138.11.136)
  by mail4.serversure.net with ESMTPA; 8 Feb 2014 16:14:30 -0000
Message-ID: <52F658A4.7030604@lsces.co.uk>
Date: Sat, 08 Feb 2014 16:17:40 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gecko/20100101 Firefox/26.0 SeaMonkey/2.23
MIME-Version: 1.0
To: PHP internals <internals@lists.php.net>
References: <52F61A78.1020401@lsces.co.uk>	<CAF+90c9ZmeysC88ghHk50rpv_8T4jYhGCWEDwZxOR5EmPuDDLg@mail.gmail.com>	<52F62B08.6050201@ajf.me>	<52F63DDE.6090600@lsces.co.uk> <CAEZPtU5-DnNeFFJDGYG+YHjL_SOddNeiqcoJp_Ye2G+Lgdu2ow@mail.gmail.com>
In-Reply-To: <CAEZPtU5-DnNeFFJDGYG+YHjL_SOddNeiqcoJp_Ye2G+Lgdu2ow@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Security Diligence
From: lester@lsces.co.uk (Lester Caine)

Pierre Joye wrote:
>> Much of the difficulty I have with PHP these days is simply trying to
>> >understand why the 'new' method of working is better than what we did 10 or
>> >more years ago. Good examples of practice is still very lacking even in the
>> >latest documentation, and what goes into rfc's these days is the basis for
>> >updating the main documentation?
> Lester, this is not a support list.
>
> It is your good right to stick with dead PHP versions and 10 years old
> code (whether it is your choice or not), but it is definitively not
> good to constantly posts totally off topic posts, replies or complains
> about what we do or don't. It is even more annoying in cases where you
> clearly do not understand the underlying reasons of one feature or
> another.
>
> That being said, I would love to see you actually contribute something
> for a change.

Currently the material in question is being discussed on this list, and some 
people obviously understand what the risks are and when pressed pass on that 
information, but we should not have to ask for clarification. That material 
should be the basis of the rfc that is being discussed! If the very basis of a 
problem is not documented then how can it be signed off? The details have been 
fairly well covered on this list, but moving it forward it needs to be reflected 
in the documentation. Your own changes to selection of random number sources is 
quite complex and perhaps we don't need to understand the details, but it should 
be easier to access direct from the documentation rather than having to 
interpret third part documents. Simply linking those third part documents may be 
all that is needed, but how often do they become unavailable later ... wikipedia 
have killed a number of software related articles.

Perhaps when I've managed to get all of not only my own code but other peoples 
code into a state where it will run on a modern PHP installation, then I might 
actually be able to find time to put my own improvements forward. My current 
contribution is as it always has been ... trying to help users get up to date 
with a continually moving target :( The latest 'problems' are just taking time I 
don't have to check through if there even is a problem. It will be fixed in a 
later version of PHP but nowadays that is just not good enough for some people :(

I am NOT trying to maintain PHP5.2, it is just there is still a large volume of 
material that despite what others seem to think will not 'just run' on even 5.3 
and now we are getting new 'risks' which may need patching in code that has been 
updated. If there was an easier way of 'upgrading' then there would not be such 
a backlog of code still needing converting?

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk