sorry list,
this discussion is going into a totally wrong direction. To make my
point clear once again:
>> it's all just a question of user-perception! <<
there is definitely NO NEED to discuss any security-items in this place
- instead i wanted to make the right people think about changing the behavior
of expose_php, while they are sitting together in paris and talk about the
future of php. And this only, as maybe netcraft-numbers tell us, to at
least take such a change into consideration. That's really all, so please
stop discussing wether it may or may not be useful or more secure to
activate expose_php or not. that is (in my eyes) REALLY not the question.
if security experts have influence on people, that hence turn expose_php
off and hence netcraft numbers for php go down, i can only say "Houston,
we have a problem" and we should do something about it.
thanks anyway for your input, i hope you understand my point of view,
best regards
-Wolfgang
--
PHP-Centralpoint Dynamic Web Pages: http://www.dynamicwebpages.de/
German PHP-Certification: http://www.phpzertifizierung.de/
> -----Original Message-----
> From: Jasper Bryant-Greene [mailto:[EMAIL PROTECTED]
> Sent: Thursday, November 10, 2005 9:36 PM
> To: Peter Brodersen
> Cc: [EMAIL PROTECTED]; Wolfgang Drews; 'Derick Rethans';
> internals@lists.php.net
> Subject: Re: [PHP-DEV] Re: Expose php: on or off
>
> Peter Brodersen wrote:
> > On Thu, 10 Nov 2005 14:08:29 -0500, in php.internals
> [EMAIL PROTECTED]
> > (Ilia Alshanetsky) wrote:
> >
> >>>I don't think it would reduce the number of attacks turning the
> >>>version information off. But it would be more cumbersome to help
> >>>people with php issues as the php version is not directly
> available.
> >>
> >>This is simply not true, when a bug comes in we ask the user to
> >>specify the version, we don't go looking for their server
> and checking
> >>their version.
> >
> > I wasn't thinking of php development but more general when
> people have
> > trouble with their PHP code (posting in newsgroups, forums,
> irc, ...).
>
> If someone asks me a PHP question on a newsgroup or forum,
> and I need to know their version, I ask them for it. If they
> don't know how, I tell them to run php -V
>
> This information would be completely useless in the
> newsgroup/forum use case because it's just as easy (if not
> easier) to ask them for it or get them to run PHP -V as it is
> to go hunt down their server and inspect the headers.
>
> Jasper
>
> --
> PHP Internals - PHP Runtime Development Mailing List To
> unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
