[php-maint] Bug#658208: [pkg-php-maint] Bug#658208: [php5] README.Debian.security: "problems used by sloppy developers"

Filipus Klutiero chealer at gmail.com
Wed Feb 8 18:58:43 UTC 2012

Hi Ondřej,

On 2012-02-08 13:33, Ondřej Surý wrote:
> On Wed, Feb 8, 2012 at 18:03, Filipus Klutiero<chealer at gmail.com>  wrote:
>>> We provide some examples to illustrate that: putting untrusted data into
>>> tar or unserialize functions without further checking may result in
>>> adverse effects.
>> I see. Could you please provide example CVEs, or the names of the specific
>> relevant tar functions?
> No, and there is no reason to do that.  It's not meant as definitive list, but
> a list of few examples. I have run the current text[1] through our Debian L10N
> English team and my opinion is that the text now accurately reflects PHP 5.4
> security policy.

Although mentioning these in the README may be a good idea, all I meant 
to ask was to provide these to me via this report, so I can get a good 
understanding of what the README intended to say and suggest a phrasing 
that reflects the intended meaning.
>   You have never provided a consistent text we can use and
> would make you happy (and yes I have checked both bug reports and the only
> thing you have suggested was that we delete whole paragraph) and clearly
> we cannot come to reasonable consensus, also because you consistently pick
> new things (like this email).

I don't know what you mean by "picking new things", but I did provide a 
text in the initial report:
> Sloppy developers do not use problems, although crackers may.
> This is unclear and I frankly wouldn't know how to reformulate besides:
> >  - application code

I don't know if you consider this text as consistent. As I said, I am 
still not sure I understand what the text wants to say.

More information about the pkg-php-maint mailing list