HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: Cynic (cynic <email protected>)
Date: 03/21/01

• Next message: Sascha Schumann: "Re: [PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• Previous message: Zeev Suraski: "Re: [PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• In reply to: Andi Gutmans: "[PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• Next in thread: Sascha Schumann: "[PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Andi!

At 19:58 21.3. 2001, Andi Gutmans wrote the following:
--------------------------------------------------------------
>Why do we need to have an interrogation. Relax, it's not such a big deal.

We don't. I hope no one will take my remarks personally. :)

>4.0.4pl1 & 4.0.3pl1 both had security fixes (Apache config handling was a security issue).

One might consider all bugs security issues.

>By the way, the error_reporting() pl1 in 4.0.1 was due to a bug which was in the CVS a looooong time. It was not a spontaneous bug that was introduced.

Well, how come it wasn't serious enough to make it into 4.0.1,
and two days later it justified a release of pl1? :) I guess
such a situation was a symptom of a need for a better RC process...
It improved. I understand Sascha's fear the group was backpedalling
from the position it has achieved.

I must say I agree with Sascha and the other people who wrote that
they'd prefer new stuff _not_ added during an RC period.
Apache group has a pretty different modus operandi more like FreeBSD
with a group of commiters, and if you check new-httpd <email protected>,
you'll see that they're trying to tighten it even more. They tossed
CVS branches, and it seems like they're going to use code-freeze
periods. Now, before someone jumps on this, I know PHP isn't Apache,
and there are other projects that do well without freezes, but I
still think PHP is a bit too liberal in this area.

>At 07:50 PM 3/21/2001 +0100, Sascha Schumann wrote:
>>On Wed, 21 Mar 2001, Andi Gutmans wrote:
>>
>>> A couple of these were buffer overflows IIRC which were security issues.
>>> Remember the group@ emails about those?
>>
>> Fixes against format-string attacks and for file-upload
>> issues went into 4.0.3. Or what are you referring to?
>>
>> - Sascha Experience IRCG
>> http://schumann.cx/ http://schumann.cx/ircg
------end of quote------

cynic <email protected>
-------------
And the eyes of them both were opened and they saw that their files
were world readable and writable, so they chmoded 600 their files.
    - Book of Installation chapt 3 sec 7

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Sascha Schumann: "Re: [PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• Previous message: Zeev Suraski: "Re: [PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• In reply to: Andi Gutmans: "[PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• Next in thread: Sascha Schumann: "[PHP-DEV] Re: [PHP-QA] Re: [PHP-DEV] Re: [PHP-CVS] cvs: php4(PHP_4_0_5) /sapi/fastcgi"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]