2013/12/25 Reco <recovery...@gmail.com> > Hi. > > On Wed, 25 Dec 2013 12:02:50 +0100 > Raffaele Morelli <raffaele.more...@gmail.com> wrote: > > > > > IMHO your claim is a little bit conceited, it sounds like a > self-styled > > > web > > > > developer "guru" talking to his ego. > > > > > > Have I offended you somehow? Why this personal attack? > > > > > > > Nothing personal, just a reminder to be humble when offending thousands > of > > people writing webapps in php. > > Glad we have this sorted out then. My apologies, just in case. > As for thousands of PHP developers I believe you're underestimating the > actual number by several orders of magnitude. It's more like hundreds > of thousand. > > > > > > > > > > > Still, the only thing that I know about PHP is one should stay clear of > > > it unless necessary. And even in the last case, one should avoid using > > > PHP for any purpose. > > > > > > > So you don't know nothing of php but you are relying on debian and > seclist > > bug reports to say one should stay clear of it (may we have to stay clear > > from hundreds of other packages listed there? ) > > I wouldn't say I know nothing about PHP. I'd say 'I know enough'. > Whenever 'we' should 'stay clear' of something is up to those 'we' to > decide. > > > > > > > > > This opinion comes from: > > > > > > http://www.debian.org/security/ > > > http://seclists.org/bugtraq/ > > > http://seclists.org/fulldisclosure/ > > > > > > And last, but not least: > > > > > > http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/ > > > > > > The internet is full of that "Hey this is cool, this is shit" stuff, the > > poster hates php and loves python and perl. With a little googling you > can > > find similar posts for other languages. > > My, my. Disregarding well-known Bugtraq and Full-Disclosure just like > that… Those guys and gals deserve better, trust me on this. > > Still. During 2013 (I think we can disregard last week of the year > safely), php5 package (a source package, mind you, lots of stuff is > built from it) got four Debian Security Advisories. > > During the same 2013, ruby-1.8 got one, ruby-1.9 got two, perl got one, > python got zero. > > And Debian Security team doesn't like to write one DSA for one > vulnerability, they prefer to shovel several of them into one DSA. > > Now, that's only Debian-acknowledged security problems, which concern > stable (maybe oldstable). And only the implementation of language > itself. > > Some more numbers: > > All known CVEs for php (4993): > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=php > > For ruby (162): > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ruby > > For perl (189): > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=perl > > For python (139): > http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python > > > That's what I meant when wrote about 'security record of PHP' and > '"wise and skilled" cannot be applied to a majority'. > > > > > PS I'm not a developer. I'm that guy they call to clean up the mess > > > that developers wrote. > > > > > > > Right, you "clean up the mess that developers wrote", not the mess the > > programming language caused. > > Whenever the programming language itself is good or bad is irrelevant > indeed. Now, whenever the programming language in question is an > entry-level or not - that makes difference. > Because - the less skill and experience programming language requires - > the more messy the end result would be. And the more work it means to > me. > > Reco >
We are going too deep and too far away and you claims on languages are generic and personal IMO, bug reports are important but if we judge packages on a bug number basis we "destroy" everything. We have very different point of view about programming languages, I trust the architecture, the algos and the underlying logic of an app and its creator not the language he relies on and its high-level or low-level. /r
