Little reminder about PHP references and some thoughts about FUDs
Posted by Pierre in
Uncategorized
Tuesday, February 27. 2007
Reading planet-debian and Apache (from Sven and David), I catched two posts about clones and references in php4 and php5. I do not think it is worth to explain again everything here as Sara wrote a very good post already, check it out here.
What annoys me a little is to read more and more bad posts about PHP from people not using it. As David and Sven posts were nice (but still wrong) , I remember other trashy posts (this one was on planet-ubuntu. What does that bring to the other (obviously) better languages or what does that take from PHP notoriety? Nothing, it only shows the possible lack of clue of the poster, who was not humble enough to admit it.
I wonder when the OS community in general will be mature enough to stop bitching at each other. And that’s valid for PHP developers, gnome-kde and other well established wars. Bitching ourselves (I can be a good annoyance for php itself, I admit ;) ) can be a good thing and it is way to get things done in a project (without abusing ;).
Herman Bos - #1 - 2007-03-16 01:11 - (Reply)
Hi there, Personally I didn’t find my post really trashy. We use php on all our webservers and webbased content providing stuff and we see it even more in action. If you read the article I linked to you can read up on some well argumented stuff why the PHP security handling basicly sucks at the moment. I believe thats also the reason they started the Month of PHP bugs. To draw attention to it so the PHP will pay proper attention to it in the future. That was the only negative thing in my post, the rest was about extra php security addons. Even though PHP is not really secure its not the worst problem, by properly securing the webserver you can limit possible damage. I posted the article from a security point of view. I don’t believe in not bitching at each other at all, although I prefer the more constructive way. Nothing is sacred. There is no reason the code crappy or disregard decent security measures.
Pierre - #2 - 2007-03-16 12:30 - (Reply)
Hi! The problem with such posts is to rely on one source without actually taking the time to analyze or to verify the information. But yes, nothing is sacred but I have my principles (not much though, but a few I try to keep in mind every day). One can criticize something or someone. Constructive critics are good and always welcome. I can hardly define your post as constructive but more as an attempt to feed the FUD even more. Some points Stefan made are correct. As a core developer, I had troubles more than once while trying to get them fixed or to change the (bad) attitude or way of work of many developers, Stefan included. Other are simply wrong, incomplete or used to discredit the work of a person or group. Now about the MOPB itself, I think it is a good thing as it forces some PHP developer to change their mind (it seems to work well so far :) if you follow what is beind done in php.net ). One good change is the sudden requirements to put the CVE references or clear log entries for the security commits as well as in the NEWS file. I was asking that for years now. Another is the PHP security pages which list all issues, per version/date/cve. Now, as one can think MOPB is based on a good intention, it is forgetting about Stefan’s FUD. Let take Zip, as there was (and maybe still is) some issues, let see what happened in this new extension (yes it is a new extension in php, a complete rewrite of an old one): Stefan did not mention that there was no bug report or mail about these flaws before his announce (#20), it is then pretty obvious than the last PHP release (in february) does not have a fix. But I released 1.8.7 12hours after his announce (MOPB #20). The other one (MOPB #16) was released one day after I heard about it. There is other similar situations and I do not think it is fair from him to use such examples to "show" how bad we are. I can say my reaction was quick, I fixed the problems and released a new version within a day or two after I heard about an issue. Stefan (hardened in general too) has a big problem with our new ext/filter. Well, it was expected. What he did not mention either is that he is (or was) a PHP developer. But he did not reply to any of my numerous calls for reviews months before the release (5.2.0). The same for Christopher K., they both start to complain and post issues after the release. No matter what they say, I think it was on purpose and that’s bad and not only for PHP. That tells a lot about the real intentions. Where PHP sucks (as a OS project and not as a language) is the way we work. Or to be more precised, the way we don’t work. PHP is a pyramidal and elitist system, where some of the big wits do not give a shit about your work (or yourself) unless they need you for one reason or another (you will suddenly get mails from people you were trying to contact since months). It is a pain to get informations in time or on a regular basis. security@php.net is no exception. Even if I see some changes, there is still a complete lack of communications and I stay rather pessimist about this problem, too much conferences (big wits activities #1), politics and commercial interests. I will talk about my point of view on the PHP project in the next weeks, I should go back to code now, this comment is getting too long :)
Herman Bos - #3 - 2007-03-16 21:26 - (Reply)
Unfortunately its not uncommon to have such organizational issues in IT. Good luck!
Pierre - #4 - 2007-03-17 19:50 - (Reply)
Yeah, it is not. Part of the job of IT is to improve communication, go figure 
