Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Do you whitelist or blacklist utf-8?
- Date: Fri, 25 Feb 2011 15:20:20 +0900
- From: "Stephen J. Turnbull" <stephen@example.com>
- Subject: Re: [tlug] Do you whitelist or blacklist utf-8?
- References: <4D639689.1010302@example.com> <4D63EFBC.1020900@example.com> <4D64C5DD.1040607@example.com> <4D64CB49.10906@example.com> <4D652AF5.10304@example.com> <4D655712.1090608@example.com> <37687.61.213.3.170.1298510044.squirrel@example.com> <4D661A15.8010009@example.com> <4D666540.5000705@example.com> <4D66EF27.7070905@example.com>
Darren Cook writes:
> > You've probably already seen the other replies, but the
> > number of PHP vulnerabilities was overwhelming a few years back.
>
> I've not see any reply yet to tell me that a recent release of PHP is
> "insecure".
That's true. I don't have an opinion on the security of recent
releases of PHP. However, some of the arguments you make in support
of PHP are incorrect, or are inappropriate to TLUG.
> Josh's googits can just as easily be interpreted as "more
> eyeballs looking at PHP mean more of the bugs are fixed".
That, I'm sorry to say, is Just Plain False[tm] according to current
knowledge. In fact, all of the studies show that a large number of
reports correlates directly with a large number of bugs, the fraction
remaining latent being essentially constant.
While I don't know of any research that characterizes this constant
for open source, in proprietary software it basically correlates with
process, and really only starts to decrease with SEI level 3 and
higher. Unless PHP is a very unusual project, most likely it has the
typical SEI level of -1 ("We don' need no mo' steenkin' process!")
It seems very likely that PHP has indeed been *significantly* more
buggy than Perl, Python, or Ruby. Whether that's still true, I don't
know, and history may not be a guide. But I would say the burden of
proof is on PHP advocates, not vice versa.
> What would make me sit up and pay attention is if you showed me that a
> php 5.2.x or 5.3.x release was released with serious security bugs in
> the core (as opposed to in some new specialist library that has just
> been added).
That's an unreasonable condition in a project whose popularity derives
significantly from rapid assimilation of "new specialist libraries".
> The very big websites using PHP, such as Facebook and Wikipedia, never
> complain about PHP not being secure enough.
Sure, but they don't come to TLUG for advice about their web-based
work. The people who do come here do not have the same levels of
expertise and resources for in-house development. "What's good enough
for Facebook is good enough for me" is not an appropriate criterion in
giving advice on TLUG.
- Follow-Ups:
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Darren Cook
- Re: [tlug] Do you whitelist or blacklist utf-8?
- References:
- [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Dave M G
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Shmuel Fomberg
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Nikolay Elenkov
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Darren Cook
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Nikolay Elenkov
- Re: [tlug] Do you whitelist or blacklist utf-8?
- From: Darren Cook
- [tlug] Do you whitelist or blacklist utf-8?
- Prev by Date: Re: [tlug] cacert question
- Next by Date: Re: [tlug] cacert question
- Previous by thread: Re: [tlug] Do you whitelist or blacklist utf-8?
- Next by thread: Re: [tlug] Do you whitelist or blacklist utf-8?
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |