What is a release candidate and what is you (un)reason?
Posted by Pierre in
Uncategorized
Wednesday, September 5. 2007
There is things that will never change.
Too many users wait the stable release to actually test it, we can live with that. But where it is more than annoying (and I’m polite), it is all these "top" security guys waiting for the stable releases to report issues or to announce proudly that a fix was not correct or not present at all.
The last one in this wonderful community is securityreason.com. As they said to have reported the problem to the php securtiy team, they are half pardoned. But why having waited the final release to report the issue? That’s a rhetorical question, no need to start a FUD/troll here about how bad we are, ‘‘you" had four release candidates to do it.
Sebastian - #1 - 2007-09-06 07:30 - (Reply)
I reads as their old exploits just work for the current PHP version. So why aren’t these included as regression tests?
Pierre - #3 - 2007-09-06 10:26 - (Reply)
"I reads as their old exploits just work for the current PHP version. So why aren’t these included as regression tests?" One has to write them and commit them. But the main problem here is that the RCs do not seem to be tested or validated by these companies or teams. This is something we have to change. It is especially critical for the security issues as only a small set of persons know about them and a (very) small set of PHP internals developers.
Sebs - #4 - 2007-09-06 14:46 - (Reply)
They are like women: Not happy as long as you dont have a chocolate ****** ***** money G*
Pierre - #5 - 2007-09-06 14:52 - (Reply)
@Sebs: There is other way to say what you mean. But being trash does not help.
lorenzo - #6 - 2007-09-07 06:02 - (Reply)
hello
@Pierre dont you think you go a bit to far ?
those guys works for free , for the php community to improve the security of PHP .
not for discrediting PHP . dont be surprised if the "stable release" are tested , on a beta-testing version a vuln it’s never a hole ,it’s a "bug" and those "bugs" are more often under-estimated . now for the release 5.2.4 i went to the php.net website and i saw :
"This release focuses on improving the stability of the PHP 5.2.X branch with over 120 various bug fixes in addition to resolving several low priority security bugs. All users of PHP are encouraged to upgrade to this release." first thing in mind was : let’s test this one …. regards .
Pierre - #7 - 2007-09-07 07:52 - (Reply)
@Lorenzo: I don’t think I went too far. It is always the same persons who wait the stable release to actually report the issues. The list is only getting longer. This is a real problem. However you brought a good point, whether we should open the security related reports sooner than the stable release or not. I think we should, and not only for the users but for all other internal developers.
lorenzo - #8 - 2007-09-07 08:28 - (Reply)
@pierre well i work for a webhosting cie , and i can tell you that we never use a RC release , as many professional who use PHP
we prefer using a stable version .
as a pentester prefer to pentest a stable-version. "The list is only getting longer. "
so what should we do ? blame these guys ?
no way … the php team need to clear the list first, before releasing a next stable version
why dont you open a communication with them when your list is done , to see if everythings allright ? and why not pentest the next stable release before releasing it ? i dont think the "top security guys" wont like this kind of idea. regards.
Pierre - #9 - 2007-09-07 12:33 - (Reply)
"well i work for a webhosting cie , and i can tell you that we never use a RC release , as many professional who use PHP" If as ISP, you never test what comes next and how it affects your customers (will affect…), I think you may have a QA problem. Lukas also explained once why ISP may be more involved in the development process (see my htscanner posts in this blog for example). "why dont you open a communication with them when your list is done , to see if everythings allright ?" I’m part of them. The goals of a RC is to get a large® audience to valid a release. But you miss my point, they knew about the issues and simply did not check anything but after the release. And I’m not talking about a lambda user here. I still think that most of them do that on purpose. The reasons are pretty obvious.
lorenzo - #10 - 2007-09-07 17:19 - (Reply)
hello you totally didn’t get my point .( yes i got yours since the beginning…)
my english is poor , anyways i do what i can.
i did an english mistake here :
"no way … the php team need to clear the list first, before releasing a next stable version
why dont you open a communication with THEM when your list is done , to see if everythings allright ? " them —> i was talking about the "top security guys" .
i know that you’re a php dev . now, "But you miss my point, they knew about the issues and simply did not check anything but after the release"
did they report the bugs ? yes
when ? a couple of release before.
did you (php team) consider theses advisory ? not really the last "STABLE" version still vulnerable .
the blame should be on them or on you guys ? ..... I did originally question the reasons why Steffan Esser left the security team at php, however now I believe i’m beginning to understand.
Pierre - #11 - 2007-09-07 20:12 - (Reply)
"did you (php team) consider theses advisory ? not really the last "STABLE" version still vulnerable .
the blame should be on them or on you guys ? ..." Yes, they did take care about the issue but they are human too, and human can make mistakes or not completely fix old mistakes. And you know what? that’s why RCs exist… back to the original point. "I did originally question the reasons why Steffan Esser left the security team at php, however now I believe i’m beginning to understand." Please don’t mix topics, I think this story has nothing to do with that. Anyway, I must some kind of extra powered human as I always try the bugs I reported with any kind of releases or even using the development versions… (not talking about php only here)
lorenzo - #12 - 2007-09-08 00:32 - (Reply)
hello pierre i do understand , what you mean , and i totally agree with your point about human fact & mistake .
but , i guess the PHP team have to learn from them error, and not blame everyone around about what happened.
it’s just too easy …
things change when the shit hit the fan .
now for your RC release , if no one pentest it , it’s maybe because there’s a "fuck" somewhere in *your way of proceeding no ?
that’s my point . peace .
Pierre - #13 - 2007-09-08 20:47 - (Reply)
Lorenzo, nobody blamed anyone for our mistakes. The only point I made is about reporting such issues right after the stable release, not more, not less. And that’s the only thing WE have to change. You seem to have missed the "we" in my post, I did not say "they" for a good reason: the only way to fix this problem and to improve our releases process is to work together.
