[php-maint] Bug#658208: Bug#658208: Bug#658208: Bug#658208: Bug#658208: [php5] README.Debian.security: "problems used by sloppy developers"

Filipus Klutiero chealer at gmail.com
Tue Feb 7 19:40:41 UTC 2012

Hi Ondřej,

On 2012-02-07 13:17, Ondřej Surý wrote:
> Filipus,
> On Tue, Feb 7, 2012 at 18:51, Filipus Klutiero<chealer at gmail.com>  wrote:
>>> It's there because people report(ed) on security mailinglists, and CVE
>>> names got assigned for, such issues. We want to make it clear that we
>>> categorically do not treat those as vulnerabilities.
>> Could you please give examples, so we're all clear on the kind of problem
>> we're talking about?
> If you are unhappy with the current text please provide updated text.

I am indeed unhappy with the current text (in unstable and 
experimental). I already provided an updated text.
>>> In our view point the flaw is in sloppy application code. The part 'but
>>> can be problematic when used by sloppy developers' indicates that to the
>>> user.
>>> I've changed 'developers' to 'application developers' to make it clear
>>> that we're not referring to PHP upstream development here.
>> Fine, but that leaves the question equally unanswered.
>> If a flaw in PHP functionality is not in PHP's design, where is the flaw? A
>> flaw in PHP functionality is not in application code, sloppy or not. PHP
>> functionality exists independent of application code using it.
> If those philosophical question are really that worthy to you please either
> provide a specific text which can be used or have that debate elsewhere.

I am far from valuing this question. As I already explained:

> Sorry, there seems to be a misunderstanding. What I'm reporting is that
> the current README contains a non-sensical item. Thijs has fixed the
> problem, but the new version is also problematic. The new version would say:
> >  Security support will not be provided for flaws in functionality which is not flawed in the design of PHP but can be problematic when used by sloppy developers.
> >
> What I am saying is that this wording will leave the reader puzzled; if
> a flaw in a PHP functionality is not in PHP's design, the reader will
> wonder where the flaw is.
> I do not expect the README to answer that question, I would rather have
> it avoid raising the question.

>   I think that the purpose
> of the README.Debian.security is that we will provide only updates for
> serious bugs.

If that's what it means, then please just say that. It will be both much 
quicker to read and much more clear.
> If you have a specific text you would like to see in the document, please
> add it to this bug and re-open it.

I won't reopen this report, the bug was fixed by Thijs. There is no 
specific text I want to see in the document, I just want whatever text 
will be in the document to be sensical.
> And please don't play BTS ping pong without
> a text.


More information about the pkg-php-maint mailing list