[php-maint] Bug#668067: Bug#668067: [php5-common] Nonsensical part about configuration known to be inherently insecure in README.Debian.security
Thijs Kinkhorst
thijs at debian.org
Sun Apr 8 20:27:34 UTC 2012
On Sun, April 8, 2012 22:07, Filipus Klutiero wrote:
> On 2012-04-08 15:45, Thijs Kinkhorst wrote:
>> On Sun, April 8, 2012 21:23, Filipus Klutiero wrote:
>>> Hi Thijs,
>>>
>>> On 2012-04-08 13:16, Thijs Kinkhorst wrote:
>>>> On Sun, April 8, 2012 18:31, Filipus Klutiero wrote:
>>>>> Package: php5-common
>>>>> Version: 5.4.1~rc1-1
>>>>> Severity: normal
>>>>>
>>>>> README.Debian.security starts:
>>>>>
>>>>>> The Debian stable security team does not provide security support
>>>>>> for
>>>>>> certain configurations known to be inherently insecure. This
>>>>>> includes
>>>>>> the interpreter itself, extensions, and user scripts written in the
>>>>>> PHP
>>>>>> language.
>>>>> This is at least most unclear. How would the PHP interpreter be a
>>>>> configuration known to be inherently insecure?
>>>> If I add "features in", does it get clear to you what's meant?
>>>>
>>>> | The Debian stable security team does not provide security support
>>>> for
>>>> | certain configurations known to be inherently insecure. This
>>>> includes
>>>> | features in the interpreter itself, extensions, and user scripts
>>>> written
>>>> | in the PHP language. Most specifically, but not exclusively, the
>>>> | security team will not provide support for the following.
>>> I'm not sure. This raises the question "Are features configurations?"
>> Making use of a feature is most certainly a configuration.
>
> Hum, if I use my MUA's reply feature, I don't think of myself as being
> configuring anything. Then again, whether an action constitutes
> "configuring" may be unclear in certain cases. If you can explain what
> features in the PHP interpreter you consider as configurations, that may
> clarify.
Perhaps you misunderstand the word "configuration". A configuration is a
combined set of components - like specific software features, or pieces on
a chess board. You can use a configuration without "being configuring" it
- in fact "configuring" is the state before "using". Therefore, you're
indeed not "configuring" anything if you use your mail client.
> The problem is not a lack of examples that qualify. The whole list is
> presented as configurations known to be inherently insecure. Please
> either remove those which are not about configuration, present the list
> differently,
I think you're taking 'configurtion' to mean something too specific, like
changing a configuration file.
> or clarify your understanding of what "configuration" means.
I've done that now.
We already had this text reviewed by Debian's native English review team
and that resulted in the text as it is now. I don't know how to improve it
further if you don't propose specifically a wording that you do
understand. If you want to pursue this further, please propose a patch
that does satisfy your concerns, and we can review that.
Cheers,
Thijs
More information about the pkg-php-maint
mailing list