Hi Ondřej,
On 2012-02-07 13:17, Ondřej Surý wrote:
Filipus,
On Tue, Feb 7, 2012 at 18:51, Filipus Klutiero<chea...@gmail.com> wrote:
It's there because people report(ed) on security mailinglists, and CVE
names got assigned for, such issues. We want to make it clear that we
categorically do not treat those as vulnerabilities.
Could you please give examples, so we're all clear on the kind of problem
we're talking about?
If you are unhappy with the current text please provide updated text.
I am indeed unhappy with the current text (in unstable and
experimental). I already provided an updated text.
In our view point the flaw is in sloppy application code. The part 'but
can be problematic when used by sloppy developers' indicates that to the
user.
I've changed 'developers' to 'application developers' to make it clear
that we're not referring to PHP upstream development here.
Fine, but that leaves the question equally unanswered.
If a flaw in PHP functionality is not in PHP's design, where is the flaw? A
flaw in PHP functionality is not in application code, sloppy or not. PHP
functionality exists independent of application code using it.
If those philosophical question are really that worthy to you please either
provide a specific text which can be used or have that debate elsewhere.
I am far from valuing this question. As I already explained:
Sorry, there seems to be a misunderstanding. What I'm reporting is that
the current README contains a non-sensical item. Thijs has fixed the
problem, but the new version is also problematic. The new version would say:
> Security support will not be provided for flaws in functionality which is
not flawed in the design of PHP but can be problematic when used by sloppy
developers.
>
What I am saying is that this wording will leave the reader puzzled; if
a flaw in a PHP functionality is not in PHP's design, the reader will
wonder where the flaw is.
I do not expect the README to answer that question, I would rather have
it avoid raising the question.
I think that the purpose
of the README.Debian.security is that we will provide only updates for
serious bugs.
If that's what it means, then please just say that. It will be both much
quicker to read and much more clear.
If you have a specific text you would like to see in the document, please
add it to this bug and re-open it.
I won't reopen this report, the bug was fixed by Thijs. There is no
specific text I want to see in the document, I just want whatever text
will be in the document to be sensical.
And please don't play BTS ping pong without
a text.
What?
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
