Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80368
Return-Path: <francois@tekwire.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79277 invoked from network); 11 Jan 2015 14:24:14 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2015 14:24:14 -0000
Authentication-Results: pb1.pair.com header.from=francois@tekwire.net; sender-id=softfail
Authentication-Results: pb1.pair.com smtp.mail=francois@tekwire.net; spf=softfail; sender-id=softfail
Received-SPF: softfail (pb1.pair.com: domain tekwire.net does not designate 212.27.42.2 as permitted sender)
X-PHP-List-Original-Sender: francois@tekwire.net
X-Host-Fingerprint: 212.27.42.2 smtp2-g21.free.fr  
Received: from [212.27.42.2] ([212.27.42.2:61306] helo=smtp2-g21.free.fr)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D4/D0-06196-E8782B45 for <internals@lists.php.net>; Sun, 11 Jan 2015 09:24:14 -0500
Received: from moorea (unknown [82.240.16.115])
	by smtp2-g21.free.fr (Postfix) with ESMTP id D3EBE4B010F;
	Sun, 11 Jan 2015 15:22:03 +0100 (CET)
Reply-To: <francois@tekwire.net>
To: "'Yasuo Ohgaki'" <yohgaki@ohgaki.net>,
	"'Pierre Joye'" <pierre.php@gmail.com>
Cc: "'PHP internals'" <internals@lists.php.net>,
	"'Andrea Faulds'" <ajf@ajf.me>
References: <14F63BD9-73FD-49A3-9EA2-48FE35DB915C@ajf.me> <CAGa2bXaPh3LEmpdpT7PGs-xwXRU2PPwwy-q_TS8V5h32RbxcvQ@mail.gmail.com> <003e01d02d68$94fa8880$beef9980$@tekwire.net> <CAEZPtU4TKrHhJNnFqB3k+wGk_yKgb_2c9H1eVHYmvBXQ7nbCXw@mail.gmail.com> <CAGa2bXbk_5u2A84aYQHZeKECEsh1AV4ERonB4pAaCrBM92Gvpg@mail.gmail.com>
In-Reply-To: <CAGa2bXbk_5u2A84aYQHZeKECEsh1AV4ERonB4pAaCrBM92Gvpg@mail.gmail.com>
Date: Sun, 11 Jan 2015 15:24:04 +0100
Message-ID: <002401d02daa$41ab73f0$c5025bd0$@tekwire.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH3YY0ATkwKTnSDpsX6SFl5NcX2iAHVZj5nAiqTRVQCMS61YAIQNnzjnCp8LHA=
Content-Language: fr
X-Antivirus: avast! (VPS 150111-0, 11/01/2015), Outbound message
X-Antivirus-Status: Clean
Subject: RE: [PHP-DEV] [RESULT] [RFC] PHP 5.7
From: francois@tekwire.net (=?UTF-8?Q?Fran=C3=A7ois_Laupretre?=)

De : yohgaki@gmail.com [mailto:yohgaki@gmail.com] De la part de Yasuo =
Ohgaki
>
>>> On Sun, Jan 11, 2015 at 3:36 PM, Pierre Joye <pierre.php@gmail.com> =
wrote:
>>> Well, the feature list for PHP7 is not closed yet. I hope new =
attractive features will be added soon because, otherwise, it will
>>> be very hard to sell. And we need attractive features in the first =
release, not 7.1 or 7.2, which will never have the same
>>> exposure.
>> I cannot say it in a better way. Full ack.
>I agree this, too.
> As internet became a hunting place for professional crackers =
(criminals), I really=20
> would like to make PHP secure by default. It's getting better, but it =
is not enough.
> One example is htmlspecialchars(). HTML 5 allows attributes quoted by =
" ' and w/o
> quotes. It does not produce safe string by default. Another example is =
"embed script=20
> by default/always". It's a needless risk (i.e. Local/Remote Script =
Inclusion), IMHO.
> Yet another example is lack of JavaScript string escape function. I =
also would like=20
> to see OpenSSL/LibreSSL extension enabled by default.=20

> Security improvement may attract many users hopefully.

Great ideas !

IMO, that's the kind of features we need: more or less hard to implement =
and easy to explain and get people interesting in. You're right: if we =
provide enough security-related fixes and enhancements, this can be a =
perfect focus when communicating about PHP7. It can look like demagogy =
but it's only basic communication rules. People (including all of us) =
need to make a first opinion after reading less than 10 words (and it =
becomes shorter every day :). If PHP7 is announced as 'a new version =
focusing on security', it is a reason to read further for a lot of =
people. If we give them a long list of opaque features they don't =
understand, they give up after reading 2 lines ! The REALLY most =
important features are probably phpng or AST, but our only goal is to =
have users migrate to the new version.

Unfortunately, that's frustrating for people implementing hidden, =
complex features, like AST or phpng, which won't have the recognition =
they would deserve. But I don't know any way to fix this. IMO, there's =
no way to have the mass of PHP developers understand what they owe them. =
It doesn't mean this work is not important but, when you start working =
on such low-level features, you must know that recognition will come =
from your peers, rarely from the public. I even consider that an =
important benefit of PHP conferences is to provide a way for these =
people to get the recognition they deserve, which allows to keep them =
motivated.

Please go on with a global security-related RFC and a thread where all =
of us will bring forgotten feature requests. IMO, no need to be =
extremely creative in searching issues to solve. We have tons of =
never-addressed security-related enhancement requests in the bug =
tracker. Sites like PHP sadness are a source too. Many others like =
StackOverflow also contain a lot of ideas and complains in this domain.

Regards

Fran=C3=A7ois


Regards,