Filipus, On Tue, Feb 7, 2012 at 18:51, Filipus Klutiero <chea...@gmail.com> wrote: >> It's there because people report(ed) on security mailinglists, and CVE >> names got assigned for, such issues. We want to make it clear that we >> categorically do not treat those as vulnerabilities. > > Could you please give examples, so we're all clear on the kind of problem > we're talking about?
If you are unhappy with the current text please provide updated text. I am happy with the text as is. >> In our view point the flaw is in sloppy application code. The part 'but >> can be problematic when used by sloppy developers' indicates that to the >> user. >> I've changed 'developers' to 'application developers' to make it clear >> that we're not referring to PHP upstream development here. > > > Fine, but that leaves the question equally unanswered. > If a flaw in PHP functionality is not in PHP's design, where is the flaw? A > flaw in PHP functionality is not in application code, sloppy or not. PHP > functionality exists independent of application code using it. If those philosophical question are really that worthy to you please either provide a specific text which can be used or have that debate elsewhere. This issue is not worthy spending any more time. I think that the purpose of the README.Debian.security is that we will provide only updates for serious bugs. I will remove third bullet (register_globals) and update second (safe_mode) as those features have been removed from PHP 5.4 and I am closing this bug. If you have a specific text you would like to see in the document, please add it to this bug and re-open it. And please don't play BTS ping pong without a text. Thank you, Ondrej -- Ondřej Surý <ond...@sury.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
