On 04/01/19 10:35 am, Danny Haidar wrote: > Hi everyone, > > An important subject was discussed in the IRC channel today, and I want > to bring it to the attention of the community. > > Over the course of a discussion about the long-standing desire to > integrate Nextcloud into FreedomBox (and, as a precondition, into the > Debian ecosystem), Jonas brought up a broader criticism of software > written in PHP. Here it is in brief: software written in PHP cannot be > reliably run without supervision. Since FreedomBox is designed to be a > server system that requires no administration, PHP's occasional > requirement of supervision conflicts with our goal of self-administration. > > I want to make sure that we don't ignore this point the next time we > discuss packaging Nextcloud, WordPress, or any other software written in > PHP. I know that we have plenty to discuss pertaining to the Buster > freeze in the coming weeks, but we should add this concern to an > upcoming call agenda. > > Jonas shared some helpful resources to explain the criticism: > > https://security.stackexchange.com/questions/643/why-do-people-say-that-php-is-inherently-insecure > > https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/ >
Some points I would like to add to the discussion: We have recently moved away from apache2 module for PHP and started using PHP-FPM a separate daemon for all current and future PHP applications. This enables use to put additional jail restrictions on PHP applications. Also, well written software can avoid the security pitfalls of PHP. I would say having a good security conscious team is more important than the choice of language. While PHP may not be our first choice for a language, there are some well respected and popular software written in PHP with good teams behind them. -- Sunil
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Freedombox-discuss mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/freedombox-discuss
