Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Do you whitelist or blacklist utf-8?



Darren Cook writes:

 > > You've probably already seen the other replies, but the
 > > number of PHP vulnerabilities was overwhelming a few years back.
 > 
 > I've not see any reply yet to tell me that a recent release of PHP is
 > "insecure".

That's true.  I don't have an opinion on the security of recent
releases of PHP.  However, some of the arguments you make in support
of PHP are incorrect, or are inappropriate to TLUG.

 > Josh's googits can just as easily be interpreted as "more
 > eyeballs looking at PHP mean more of the bugs are fixed".

That, I'm sorry to say, is Just Plain False[tm] according to current
knowledge.  In fact, all of the studies show that a large number of
reports correlates directly with a large number of bugs, the fraction
remaining latent being essentially constant.

While I don't know of any research that characterizes this constant
for open source, in proprietary software it basically correlates with
process, and really only starts to decrease with SEI level 3 and
higher.  Unless PHP is a very unusual project, most likely it has the
typical SEI level of -1 ("We don' need no mo' steenkin' process!")

It seems very likely that PHP has indeed been *significantly* more
buggy than Perl, Python, or Ruby.  Whether that's still true, I don't
know, and history may not be a guide.  But I would say the burden of
proof is on PHP advocates, not vice versa.

 > What would make me sit up and pay attention is if you showed me that a
 > php 5.2.x or 5.3.x release was released with serious security bugs in
 > the core (as opposed to in some new specialist library that has just
 > been added).

That's an unreasonable condition in a project whose popularity derives
significantly from rapid assimilation of "new specialist libraries".

 > The very big websites using PHP, such as Facebook and Wikipedia, never
 > complain about PHP not being secure enough.

Sure, but they don't come to TLUG for advice about their web-based
work.  The people who do come here do not have the same levels of
expertise and resources for in-house development.  "What's good enough
for Facebook is good enough for me" is not an appropriate criterion in
giving advice on TLUG.


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links