Bug#658208: [php-maint] Bug#658208: Bug#658208: Bug#658208: [php5] README.Debian.security: "problems used by sloppy developers"

Tue, 07 Feb 2012 09:54:20 -0800 

On 2012-02-03 07:16, Thijs Kinkhorst wrote:

On Thu, February 2, 2012 19:42, Filipus Klutiero wrote:

Hi Thomas,

On 2012-02-02 13:18, Thomas Goirand wrote:

On 02/03/2012 01:50 AM, Filipus Klutiero wrote:

That would leave the question, where is PHP functionality flawed if it
is not in PHP's design?

That's a discussion that could be huge. Do you think that
README.Debian.security or even the Debian BTS, are places were we should
discuss this? (or maybe you're not having this discussion, and regret
that the README.Debian.security leads to it?)

Sorry, there seems to be a misunderstanding. What I'm reporting is that
the current README contains a non-sensical item. Thijs has fixed the
problem, but the new version is also problematic. The new version would
say:


Security support will not be provided for flaws in functionality which
is not flawed in the design of PHP but can be problematic when used by
sloppy developers.


I also suggested in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639230#25 that the
entire item be scrapped.

It's there because people report(ed) on security mailinglists, and CVE
names got assigned for, such issues. We want to make it clear that we
categorically do not treat those as vulnerabilities.
Could you please give examples, so we're all clear on the kind of problem we're talking about? 


What I am saying is that this wording will leave the reader puzzled; if
a flaw in a PHP functionality is not in PHP's design, the reader will
wonder where the flaw is.

In our view point the flaw is in sloppy application code. The part 'but
can be problematic when used by sloppy developers' indicates that to the
user.
I've changed 'developers' to 'application developers' to make it clear
that we're not referring to PHP upstream development here.


Fine, but that leaves the question equally unanswered.
If a flaw in PHP functionality is not in PHP's design, where is the flaw? A flaw in PHP functionality is not in application code, sloppy or not. PHP functionality exists independent of application code using it. 



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to