Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:95253
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 47779 invoked from network); 17 Aug 2016 05:20:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Aug 2016 05:20:42 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:34574] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A9/10-45465-724F3B75 for <internals@lists.php.net>; Wed, 17 Aug 2016 01:20:42 -0400
Received: (qmail 24563 invoked by uid 89); 17 Aug 2016 05:20:35 -0000
Received: from unknown (HELO mail-qt0-f180.google.com) (yohgaki@ohgaki.net@209.85.216.180)
  by 0 with ESMTPA; 17 Aug 2016 05:20:35 -0000
Received: by mail-qt0-f180.google.com with SMTP id x25so45001687qtx.2
        for <internals@lists.php.net>; Tue, 16 Aug 2016 22:20:35 -0700 (PDT)
X-Gm-Message-State: AEkoouuRhvARjWyX9cDFFoL2Cemk4j4mxEIBYjN+5snOrTvMX6rmeLiiUNbesXkS5SeYsyN94F8D/bsT2hUO1Q==
X-Received: by 10.237.49.130 with SMTP id 2mr44471815qth.38.1471411229259;
 Tue, 16 Aug 2016 22:20:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.85.242 with HTTP; Tue, 16 Aug 2016 22:19:48 -0700 (PDT)
In-Reply-To: <CA+kxMuQtekaGVR+JP=D-p=kSwg7Gaa=TmWFcxsB2p498sEztRA@mail.gmail.com>
References: <CAGa2bXarw2jTj0yhXpywWNQOJLR2pdhfaqSdwj_btT2giEL15Q@mail.gmail.com>
 <CAGa2bXadVagTwBzEym9PZROmXu3SKxg=huCAQNK3k1-jZeG_pg@mail.gmail.com>
 <CAGa2bXY-vmEgEFrE0OxQPSx=FKHeHdCayrDXxtTkHUVaJbV+-A@mail.gmail.com>
 <CA+kxMuRiOBQpmTeKqNyV8rX0GKCLrYixi--y5TcYUkdqpT746w@mail.gmail.com>
 <CAGa2bXa78fkZw8gtepmBDu+VDwHW_WiDDv65=zzgLTFqYxF+DA@mail.gmail.com>
 <CAGa2bXbOeWgk4xDLkBL4RDR95-Lnwagw2M-kgX8vE2P1k3PQiA@mail.gmail.com>
 <CAEZPtU6wsp-c=PAOOkoXfT6Nw2v0LsnvuZfAKtt1TEQJadSuQw@mail.gmail.com>
 <CAGa2bXZUQdU3wiA3=3cX2eJytiWW80bWKrd5AS4pfzh_Ra=CRQ@mail.gmail.com> <CA+kxMuQtekaGVR+JP=D-p=kSwg7Gaa=TmWFcxsB2p498sEztRA@mail.gmail.com>
Date: Wed, 17 Aug 2016 14:19:48 +0900
X-Gmail-Original-Message-ID: <CAGa2bXbg9D9NmZDh1J6wxCiwFh=a8HvvSTE1aaGs-iNttW4+gg@mail.gmail.com>
Message-ID: <CAGa2bXbg9D9NmZDh1J6wxCiwFh=a8HvvSTE1aaGs-iNttW4+gg@mail.gmail.com>
To: Dan Ackroyd <danack@basereality.com>
Cc: Pierre Joye <pierre.php@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Add validation functions to filter module
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi Dan,

I understood about RFC process.

On Wed, Aug 17, 2016 at 12:23 PM, Dan Ackroyd <danack@basereality.com> wrote:
> Additionally, you seem to completely have ignored this:
>
> Dan Ackroyd wrote:
>> And I strongly object to the idea of stopping and starting voting on RFCS. Please leave the vote open and if it fails take some time to think about the feedback.
>
> It would benefit everyone if you stopped responding immediately and
> instead took time to actually think about what people have been
> saying. This RFC isn't going to be in PHP 7.1, so it is fine to wait 3
> months to present a new version of the RFC.

It seems I've marked "already read" by mistake.
Thank you for reminding.
I got that you prefer userland implementation.

I'm planning to propose "Filter module deprecation" when this RFC
is declined, because current validation filter is not good enough to
do the job and makes situation worse than better... If deprecation
RFC is declined also, then I might try to improve this RFC again.

BTW, I cannot guess the reason behind "no" votes. I can guess
reasons for people participating discussions, though. Even when
RFC author could guess the reason,  it would be nicer for voters
and author if one explains the reason why vote "no" in vote thread.
Explicit description is better than guess, IMHO. Besides, unlike
you, there are many people do not left any clue.

For example, I completely fail to understand the reason why
"Enable session.use_strict_mode by default" and "Precise Session
Management" RFC is declined. These are _mandatory_ for session
security and not a matter of preference, but do it and/or how to do it.

If one fails to see why it is mandatory, should ask why. If one
think "it must be more efficient", then should insist patch
improvement. If one think proposal is wrong, then should point
out what's wrong. IMO. If opinion is the same, should mention
"Same here"/"Agree" at least.

It's okay to say "let's ignore such security issues" or "let it users
responsibility to secure session", but his/her opinion should be
expressed. It's not a political vote, but technical vote after all.

I guess most people voted "no" for
"Enable session.use_strict_mode by default" and "Precise Session
Management" is based on wrong assumption.

For this vote, I'm guessing preferences are strongly affected,
filter module nature and patch quality. The code is messy because
I didn't refactor code to minimize changes. It's still a guess,
though.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net