On Tue, Oct 29, 2002 at 12:52:57PM +0000, Roger Burton West wrote: > On Tue, Oct 29, 2002 at 12:29:22PM +0000, Paul Makepeace wrote: > >On Tue, Oct 29, 2002 at 08:32:31AM +0000, Roger Burton West wrote: > >> I used to run it, but the security cost of having PHP > >What security cost? > > Erm, you do read BUGTRAQ?
Not regularly, but enough to know that most of what is reported is of little practical consequence to most people. These days I rely on Debian's security advisories. The only serious advisory in the last couple of years was in March with the file upload bug. By "serious", I don't consider being able to futz with mail() while in PHP's safe_mode by an authenticated user "serious". Some might, of course. (Those people are unlikely to even use perl in those cases, period.) > Even if the only PHP code allowed on the > system is Squirrelmail, it's still a pain to have to take down webmail > every few weeks while they code round a function that was thought to be > safe. I'd read this as FUD, frankly, until you can show PHP has suffered vulnerabilities so severe as to require shutting down service "every few weeks". This might seem anal of me but people might actually take what you're saying to heart and then continue to spread disinformation. If a package deserves commentary like that (say MS not fixing reported bugs for after several weeks of being notified), fair enough, if it doesn't, it's worth IMO avoiding hyperbole. SFOnline author Jon Lasser discusses over-zealous reporting, http://online.securityfocus.com/columnists/114 Paul -- Paul Makepeace ....................................... http://paulm.com/ "If you believe you are one of the gods, then crash the plane." -- http://paulm.com/toys/surrealism/
