[php-maint] Bug#668067: Bug#668067: [php5-common] Nonsensical part about configuration known to be inherently insecure in README.Debian.security

Mon Apr 9 19:07:06 UTC 2012

Hi Thijs,

On 2012-04-08 16:27, Thijs Kinkhorst wrote:
> On Sun, April 8, 2012 22:07, Filipus Klutiero wrote:
>> On 2012-04-08 15:45, Thijs Kinkhorst wrote:
>>> On Sun, April 8, 2012 21:23, Filipus Klutiero wrote:
>>>> Hi Thijs,
>>>>
>>>> On 2012-04-08 13:16, Thijs Kinkhorst wrote:
>>>>> On Sun, April 8, 2012 18:31, Filipus Klutiero wrote:
>>>>>> Package: php5-common
>>>>>> Version: 5.4.1~rc1-1
>>>>>> Severity: normal
>>>>>>
>>>>>> README.Debian.security starts:
>>>>>>
>>>>>>> The Debian stable security team does not provide security support
>>>>>>> for
>>>>>>> certain configurations known to be inherently insecure. This
>>>>>>> includes
>>>>>>> the interpreter itself, extensions, and user scripts written in the
>>>>>>> PHP
>>>>>>> language.
>>>>>> This is at least most unclear. How would the PHP interpreter be a
>>>>>> configuration known to be inherently insecure?
>>>>> If I add "features in", does it get clear to you what's meant?
>>>>>
>>>>> | The Debian stable security team does not provide security support
>>>>> for
>>>>> | certain configurations known to be inherently insecure. This
>>>>> includes
>>>>> | features in the interpreter itself, extensions, and user scripts
>>>>> written
>>>>> | in the PHP language. Most specifically, but not exclusively, the
>>>>> | security team will not provide support for the following.
>>>> I'm not sure. This raises the question "Are features configurations?"
>>> Making use of a feature is most certainly a configuration.
>> Hum, if I use my MUA's reply feature, I don't think of myself as being
>> configuring anything. Then again, whether an action constitutes
>> "configuring" may be unclear in certain cases. If you can explain what
>> features in the PHP interpreter you consider as configurations, that may
>> clarify.
> Perhaps you misunderstand the word "configuration". A configuration is a
> combined set of components - like specific software features, or pieces on
> a chess board. You can use a configuration without "being configuring" it
> - in fact "configuring" is the state before "using". Therefore, you're
> indeed not "configuring" anything if you use your mail client.
>
>> The problem is not a lack of examples that qualify. The whole list is
>> presented as configurations known to be inherently insecure. Please
>> either remove those which are not about configuration, present the list
>> differently,
> I think you're taking 'configurtion' to mean something too specific, like
> changing a configuration file.

There is a difference between configuring and using a configuration. 
Using my MUA's reply feature may indeed be conceived as *using* a 
configuration. However, it's certainly not commonly conceived as 
*configuring*.

>
>> or clarify your understanding of what "configuration" means.
> I've done that now.
>
> We already had this text reviewed by Debian's native English review team
> and that resulted in the text as it is now.

Hum. Could you point to that review?