JeevesBond — Wed, 28 Feb 2007 01:44:16 +0000

Agreed with everything Abhi said. This person is only doing what he's doing after many months (if not years) of frustration at the PHP Security Team. Note one of the quotes:

Quote: As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before.

He's given them plenty of warning. They've had many opportunities to fix the problems, but they've continually ignored them or told people they don't exist. I've heard of Microsoft taking a similar tack when it comes to bugs, it's not acceptable from them so it's definitely no acceptable in a FLOSS project!

Abhi wrote: Anyway, I'm glad this is finally happening. In my opinion, PHP has been resting on its laurels somewhat in the last couple of years -- not just in security. I hope the Month of Bugs will either drive the project to refocus, or drive its users to better technologies.

Now all we need is a 'PHP Month of namespaces' or some of the other things on Abhi's list of reasons why PHP sucks (my favourite TWF post ever).

andy206uk — Sun, 25 Feb 2007 10:00:01 +0000

Ahhh... that kinda clarifies it for me. I figured he was doing this without giving them a good chance to fix PHP in advance.

Abhishek Reddy — Sat, 24 Feb 2007 13:52:15 +0000

andy206uk;215730 wrote: I have to say, the way he's handling this is wrong. What he should have done is told the guys that make PHP about the bugs a month in advance and told them that if they didn't resolve them by a certain deadline THEN he would begin releasing them.

That's basically what he's doing. The Month of PHP Bugs was announced at least a month ago. He resigned from the PHP Security Response Team in early December. He founded the SRT in 2004.

So the PHP security people were well aware of a lot of unresolved bugs for a long time, as Esser and others had been reporting them for years. But the team refuse even to acknowledge many of the bugs, let alone attempt to fix them or actually fix them properly.

andy206uk;215730 wrote: Why should we all suffer because he's got beef with the PHP team?

His premise is that we're already suffering because the PHP team aren't doing their job. Hopefully what he's trying now -- after all his prior effort -- will help improve the situation.

pr0gr4mm3r wrote: His actions seem quite immature IMHO.

It may seem so when seen out of context. You have to bear in mind that he has been dealing with the PHP folks for years and it led nowhere.

I guess it would be better if he also released patches along with the bugs, but I think that would be an unreasonable ask. That's what the PHP security team is there for, after all.

Anyway, I'm glad this is finally happening. In my opinion, PHP has been resting on its laurels somewhat in the last couple of years -- not just in security. I hope the Month of Bugs will either drive the project to refocus, or drive its users to better technologies.

I can't imagine that it will have a significant adverse effect for users, though. The security risks of poorly written PHP applications, or improper server configuration, are far greater than those of bugs in PHP core -- by Esser's own admission.

pr0gr4mm3r — Sat, 24 Feb 2007 13:06:32 +0000

Quote: Why should we all suffer because he's got beef with the PHP team?

His actions seem quite immature IMHO.

andy206uk — Sat, 24 Feb 2007 12:41:47 +0000

Thanks for pointing this out... I've told the sysadmins at the company they work for.

I have to say, the way he's handling this is wrong. What he should have done is told the guys that make PHP about the bugs a month in advance and told them that if they didn't resolve them by a certain deadline THEN he would begin releasing them.

Why should we all suffer because he's got beef with the PHP team?

JeevesBond — Sat, 24 Feb 2007 07:25:00 +0000

Quote: Nobody uses automated backups? Mine are backed up every night.

We have mostly automatic updates, just have to run a script and enter SSH passwords. Unfortunately our server doesn't support using certificates for automatic logins.

I can imagine there will be many bloggers and small businesses which don't bother backing-up.

demonhale — Sat, 24 Feb 2007 05:44:08 +0000

I have peace of mind when I do backups myself... but still, I hate bugs...

pr0gr4mm3r — Fri, 23 Feb 2007 21:15:43 +0000

Nobody uses automated backups? Mine are backed up every night.

demonhale — Wed, 21 Feb 2007 21:39:33 +0000

Dang! Another busy series of months again then... I hope they just keep it under wraps...

Megan — Wed, 21 Feb 2007 13:55:58 +0000

I'm moving this to Webmaster's Corner where more people will see it - too important to be left in server-side scripting

This means that you need to BACK UP anything you have running on php and keep an eye out for upgrades on any scripts you are using.