-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Mon, 16 Jul 2012, Jonas Smedegaard wrote:
On 12-07-16 at 02:06pm, Ben Mendis wrote: Is it me you call silly?
I think the argument that the language can be used as a determining factor or even as a metric for the security of an application is silly. If you want to take that personally, go right ahead. But I don't know you so I wasn't commenting on you specifically.
I believe I did not argue that security is only an issue with PHP, or argue that the PHP _language_ is all that matters.
No, but you did strongly imply that applications written in PHP have a higher risk of security flaws (presumably in comparison to some unnamed alternative languages), which is what I take issue with. Do you have metrics to support that claim? Because in my experience, and the experience of recognized professionals in the security field, the language used to build an application is not a strong indicator of how secure the application is.
Yes, it is _possible_ to find bad, insecure code in any language. Yes, it is _possible_ to secure PHP. But what is your point? That it is equally likely to find bad, insecure code anywhere, in any language and using any coding style?
My point is that throwing out and re-implementing an entire code base (or several) because of language elitism and security superstition is probably a mistake. If the only thing that is wrong with these applications is that you don't like the language they were written in, then I would say that there is nothing wrong with them at all. If they have actual flaws which you can identify, then fix them in the existing code base with the existing language. I have not seen any objective evidence so far that indicates re-implementing these projects from scratch in any other language would be any more efficient than maintainging the existing code. Arguing which languages or coding styles do or don't produce secure code is a religious argument, unless you have objective metrics to back up your claims. And frankly, unless you're the one putting in the hours to do the rewrite then the discussion is just bikeshedding anyways. Also, I'll point out again, I'm still not talking about you personally, I'm talking about the discussion and its participants in general (which now includes myself). Arguing religion doesn't solve problems; solving problems solves problems. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJQBN4sAAoJEMco5sYyM+0wqsMH/2r+jqaXchSabulnnYqEv7zH mD+i5MbTz1cB9qj0H33ca7n6UIgmML+Ez3Ts7Fy46k561m3zKJGJauKJyq9/kNGH UxabTvQRM7d31j66vpuvZ6RTm8Pgg56zd/rc5ReMJn29HCbKZU4PcMsvJDVNwQQk ll6S0R8V74SEtqCfbBB/UpYPzAlHjQxCJRf0nQ16vsfBaliuIhfkY1iFp6+/0uUq 4dRHvmHGzzw6F4FWEM7976954G7XZn2iksn7MdFzCXP2NDJYAl30YTPZObKGqVNH wI1R/xp0ne9HNYp+kNgscHkzAeadtqn+6zK3WbPMX8/vUscRUK53lZNsVaF+qjg= =1Kab -----END PGP SIGNATURE----- _______________________________________________ Freedombox-discuss mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
