[php-maint] Bug#658208: Bug#658208: Bug#658208: Bug#658208: Bug#658208: [php5] README.Debian.security: "problems used by sloppy developers"

[Ondřej Surý]

Filipus,

On Tue, Feb 7, 2012 at 18:51, Filipus Klutiero <chealer at gmail.com> wrote:
>> It's there because people report(ed) on security mailinglists, and CVE
>> names got assigned for, such issues. We want to make it clear that we
>> categorically do not treat those as vulnerabilities.
>
> Could you please give examples, so we're all clear on the kind of problem
> we're talking about?

If you are unhappy with the current text please provide updated text. I am
happy with the text as is.

>> In our view point the flaw is in sloppy application code. The part 'but
>> can be problematic when used by sloppy developers' indicates that to the
>> user.
>> I've changed 'developers' to 'application developers' to make it clear
>> that we're not referring to PHP upstream development here.
>
>
> Fine, but that leaves the question equally unanswered.
> If a flaw in PHP functionality is not in PHP's design, where is the flaw? A
> flaw in PHP functionality is not in application code, sloppy or not. PHP
> functionality exists independent of application code using it.

If those philosophical question are really that worthy to you please either
provide a specific text which can be used or have that debate elsewhere.
This issue is not worthy spending any more time. I think that the purpose
of the README.Debian.security is that we will provide only updates for
serious bugs.

I will remove third bullet (register_globals) and update second (safe_mode)
as those features have been removed from PHP 5.4 and I am closing this
bug.

If you have a specific text you would like to see in the document, please
add it to this bug and re-open it. And please don't play BTS ping pong without
a text.

Thank you,
Ondrej
-- 
Ondřej Surý <ondrej at sury.org>