At 12:25 PM 11/23/2004, Cliff Woolley wrote: >On Tue, 23 Nov 2004, Joe Orton wrote: > >> Discussion of whether or not it's useful to have PHP tests in httpd-test >> can take place on test-dev@, please send your comments there and I'll >> follow up. > >I actually think it's useful to have php tests in our suite, because >having a large number of tests for a module as big as php helps to flush >out bugs in httpd (and maybe apr). That would be even more the case if >php's sapi module for httpd 2.x that worked as a filter were in a >reasonable state...
I totally agree that regression testing is terrific. We gain alot knowing when our patches might break php. What I questioned was why we were doing the security validation of PHP when it's outside the scope of httpd, or isn't due to some interaction with httpd. I also questioned shoving scary security/CAN-2004-xxxx.t failures at our users. FIRST this should never have been in security/ - it should have been a php/ test. Again, this is not our security incident within httpd. Second, whenever we fail any CAN-2004-xxxx.t we must direct the user to some patch where they can remedy the situation. I'm sort of laughing that I spent 4 hours yesterday researching two vulns that many other engineers had spent 4 hours researching. The laughable thing - show me on www.php.net where they call out any patches for 4.3.x to these two incidents? It's akin to screaming FIRE in a crowded theater, when the doors are locked. Open up the doors first, then scream. Oh, just an aside, answering "upgrade n-1.x to the latest n.0 release" is no answer to a security incident. Didn't we just listen to a preso in Vegas decrying how 5.0 isn't 4.3? Bill