Anybody know anything about moto or have any opinion on it, especially security-wise? It's at http://www.webcodex.com/moto/.; I ask because I *really* like the idea that it (supposedly) makes it easy to build a web application that you can first intepret (for development) and later compile into an Apache DSO. Pretty slick, and *probably* has a huge performance advantage over things like mod_perl and mod_php. Maybe, maybe not, just curious if anyone here has worked with and can comment on it's usability, performance, or security.
On Tue, Mar 05, 2002 at 04:30:31PM -0500, Derek D. Martin wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > At some point hitherto, Rodent of Unusual Size hath spake thusly: > > "Derek D. Martin" wrote: > > > > > > I'll go one better than that. If you use PHP, STOP. They have > > > security bulletins released about once a week, it seems (o.k. I'm > > > exaggerating A LITTLE). About the only "vendor" with more frequent > > > releases is Microsoft... > > > > Eh, I don't buy that. Please back it up with some references. > > Ok, I'll back down partially in that upon review, many of the > advisories I've seen I've mis-remembered; they were not actually PHP > advisories, but for software written in PHP. However, just this year: > > http://online.securityfocus.com/archive/1/258995 > http://online.securityfocus.com/archive/1/258662 > http://online.securityfocus.com/archive/1/255037 > http://online.securityfocus.com/archive/1/254846 > http://online.securityfocus.com/archive/1/254005 > http://online.securityfocus.com/archive/1/250196 > > Some of these are considered fairly minor, in that the vulnerability > is a possible exposure of what may be considered sensitive info. Some > of these are things that can be fixed by altering the configuration of > PHP. The problem is that it shows a pattern of failing to think > about programming security issues. > > There are also some earlier advisories which complain about the design > of PHP encouraging the development of insecure code. It seems that > writing secure PHP scripts is also very difficult, and there are quite > number of advisories for software written in PHP, which are not > necessarily the fault of PHP, but perhaps encouraged by the design of > PHP. > > I stand by what I said: if you're using PHP, it is my opinion that > you're better off from a security standpoint using something else. > You have to worry about security problems in the software written > using PHP, as well as those of PHP itself. For example, Perl has zero > reported vulnerabilities over the same period of time, and only one > report of a vulnerability in software written in it (a file disclosure > bug caused by bad input validation). I personally don't feel that PHP > has a track record that warrants confidence in the security of your > web server, and possibly your network depending on other trust > relationships with your web server. Better, mmore proven alternatives > exist. > > - -- > Derek Martin [EMAIL PROTECTED] > - --------------------------------------------- > I prefer mail encrypted with PGP/GPG! > GnuPG Key ID: 0x81CFE75D > Retrieve my public key at http://pgp.mit.edu > Learn more about it at http://www.gnupg.org > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iD8DBQE8hTj2djdlQoHP510RAm8OAJ4yr+92cqQvJCNDGCSkp3te6FPetgCguyTK > ryHuvFBAT2fzm9K4vP9NCOs= > =nuvP > -----END PGP SIGNATURE----- > > ***************************************************************** > To unsubscribe from this list, send mail to [EMAIL PROTECTED] > with the text 'unsubscribe gnhlug' in the message body. > ***************************************************************** > -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets ***************************************************************** To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *****************************************************************
