[php-maint] Bug#658208: [pkg-php-maint] Bug#658208: [php5] README.Debian.security: "problems used by sloppy developers"
Filipus Klutiero
chealer at gmail.com
Wed Feb 8 18:58:43 UTC 2012
Hi Ondřej,
On 2012-02-08 13:33, Ondřej Surý wrote:
> On Wed, Feb 8, 2012 at 18:03, Filipus Klutiero<chealer at gmail.com> wrote:
>>> We provide some examples to illustrate that: putting untrusted data into
>>> tar or unserialize functions without further checking may result in
>>> adverse effects.
>> I see. Could you please provide example CVEs, or the names of the specific
>> relevant tar functions?
> No, and there is no reason to do that. It's not meant as definitive list, but
> a list of few examples. I have run the current text[1] through our Debian L10N
> English team and my opinion is that the text now accurately reflects PHP 5.4
> security policy.
Although mentioning these in the README may be a good idea, all I meant
to ask was to provide these to me via this report, so I can get a good
understanding of what the README intended to say and suggest a phrasing
that reflects the intended meaning.
> You have never provided a consistent text we can use and
> would make you happy (and yes I have checked both bug reports and the only
> thing you have suggested was that we delete whole paragraph) and clearly
> we cannot come to reasonable consensus, also because you consistently pick
> new things (like this email).
I don't know what you mean by "picking new things", but I did provide a
text in the initial report:
> Sloppy developers do not use problems, although crackers may.
> This is unclear and I frankly wouldn't know how to reformulate besides:
> > - application code
I don't know if you consider this text as consistent. As I said, I am
still not sure I understand what the text wants to say.
More information about the pkg-php-maint
mailing list