Join Up! 104886 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Using the PEAR Pager Package to Paginate MySQL Results Pro PHP Security: Preventing SQL Injection Security Concerns when Developing PHP Applications Value Objects and Data Access Objects with PHP 4.2.x AJAX and PHP Part: Forms and JavaScript Limitations

php-developer-list | 2000111

From: Zeev Suraski (zeev <email protected>)
Date: 11/15/00

• Next message: Jim Jagielski: "Re: [PHP-DEV] CVS Account Request"
• Previous message: Jim Jagielski: "Re: [PHP-DEV] CVS Account Request"
• In reply to: Jim Jagielski: "Re: [PHP-DEV] CVS Account Request"
• Next in thread: André Langhorst: "Re: [PHP-DEV] CVS Account Request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:22 16/11/2000, Jim Jagielski wrote:
>Source-level code is the core of QA. If you can't control or monitor
>the quality of the code coming in, then you can't monitor or
>control the quality of the final product. Security concerns in
>the code, or in patches applied to the code, is most definately
>a QA process. One way of ensuring this is a review-then-commit
>process, where a patch is submitted, reviewed and if approved
>commited. Well, maybe not "ensuring" it because it depends
>on how well it's "reviewed" and even when reviewed, interactions
>happen that cause problems. But it *does* increase the overall
>QA process. Also saying "just you 5 guys have commit access"
>does it as well. Not everyone who submits a patch needs CVS commit. :)
>CVS implies trust of the committer and responsibility of others
>to look over the patch.

I agree, and I think it's all a matter of finding the right mix. Saying
the bar should be as low as possible is wrong, but going to the other
extreme, where every patch has to be reviewed and accepted is also bad, and
will definitely hurt PHP's quick advancement. With the amount of code that
is going into PHP (which is generally a Good Thing), I think we have to be
realistic, and accept the fact that complete source-level QA is not going
to be possible. Right now there's no formalized source level QA, and the
PHP QA team is oriented towards functional testing only.

I think that setting the bar slightly higher, and maintaining ACL's, will
not hurt any legitimate submitters, and will reduce the likelihood of
illegitimate ones getting in.

Zeev

--
Zeev Suraski   <zeev <email protected>>
CTO, Zend Technologies Ltd.  http://www.zend.com/
-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: Jim Jagielski: "Re: [PHP-DEV] CVS Account Request"
• Previous message: Jim Jagielski: "Re: [PHP-DEV] CVS Account Request"
• In reply to: Jim Jagielski: "Re: [PHP-DEV] CVS Account Request"
• Next in thread: André Langhorst: "Re: [PHP-DEV] CVS Account Request"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs