Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:84992
Return-Path: <dennis@birkholz.biz>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 93899 invoked from network); 16 Mar 2015 06:33:53 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 Mar 2015 06:33:53 -0000
Authentication-Results: pb1.pair.com header.from=dennis@birkholz.biz; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=dennis@birkholz.biz; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain birkholz.biz does not designate 144.76.185.252 as permitted sender)
X-PHP-List-Original-Sender: dennis@birkholz.biz
X-Host-Fingerprint: 144.76.185.252 mx01.nexxes.net  
Received: from [144.76.185.252] ([144.76.185.252:43081] helo=mx01.nexxes.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BB/46-06614-F4976055 for <internals@lists.php.net>; Mon, 16 Mar 2015 01:33:52 -0500
Received: from [137.226.183.192] (ip3192.saw.rwth-aachen.de [137.226.183.192])
	(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: db220660-p0g-1@packages.nexxes.net)
	by mx01.nexxes.net (Postfix) with ESMTPSA id 1DE0C48244D
	for <internals@lists.php.net>; Mon, 16 Mar 2015 07:33:48 +0100 (CET)
Message-ID: <5506794B.8090008@birkholz.biz>
Date: Mon, 16 Mar 2015 07:33:47 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: internals@lists.php.net
References: <CABBJUpfiy1BpdyZ5MJmQb3vQz9U8TkSECHCRctupV+BUG1H=fw@mail.gmail.com> <55066F07.80308@birkholz.biz> <CABBJUpd+yd_7g8VkU0SHRMt0a35idyyLS_7m6=-cGgBB1RzkQg@mail.gmail.com> <CAN=kQJe6civW3x=uT2wMB7Mb-33LvkSyHfU=FfB8cfbWsVE+_A@mail.gmail.com> <CAGa2bXaMPs2WNOvJzJz6S3Qm1z28H=msi8SdVsmPYJGz-kM8hQ@mail.gmail.com>
In-Reply-To: <CAGa2bXaMPs2WNOvJzJz6S3Qm1z28H=msi8SdVsmPYJGz-kM8hQ@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] About declare(strict_types = 1)
From: dennis@birkholz.biz (Dennis Birkholz)

Hi Yasuo,

Am 16.03.2015 um 07:22 schrieb Yasuo Ohgaki:
> Caller _must_ satisfy callee requirements. This is simple principle to
> write a secure code.
> 
> With this RFC, caller overrides security related setting. This means
> scripts
> that are prepared for type safety is "ignored" and it leads security breach.

that is simply not true! The callee always gets the type it expects.
There is no security problem involved here. The only difference is if
type conversion rules apply or if an error is raised for a type mismatch.

You clearly dislike the RFC (you voted no), that is OK, but don't scream
of "security" bugs that don't exist. If they would exist, all type hint
RFCs would have them in general.

Greets,
Dennis