On 15-May-06, at 9:39 AM, Stefan Esser wrote:
Hello,
okay, mistakes happen everyday but it really sucks that PHP.net
continues trying to hide mistakes.
1) PHP 5.1.4 was released with a nonsense announcement claiming that
there was only a problem with POST arrays or POST fileuploads.
-> In reality a paid Zend developer had destroyed the handling of
arrays in any kind of user input in PHP 5.1.3 completely. Ironically
after that incident another Zend man came forward and dares to say "I
don't trust our core testers anymore"
That is what the bug reports that appeared in relation to the problem
were complaining about, the announcement was tailored to address
issues raised by those people.
2) PHP 5.1.4 was lacking the PEAR installer which resulted in make
install downloading the file from the web.
a) this part should be removed from the make file completlely
because 'make install' is usually executed as root and under no
circumstances should download a file from an insecure HTTP source.
We didn't have an automated process for including PEAR's phar file
in, it is now part of the release generation script. As far as
automated download, for full releases this will not be necessary in
the future as it will be included by default. As far as the phar
download, I think it either needs to require a confirmation prompt or
simply not done automatically, either way is fine by me.
b) this fact was again hidden by silently replacing the PHP 5.1.4
tarball with a new one, after the other one was out for more than a
week.
The code in the release did not change on bit, the only change was
the inclusion of the missing phar file, this hardly warrants 5.1.5 or
even 5.1.4pl1. This will have no impact of people who have already
downloaded and installed PHP, nor will this impact people who have
yet to download PHP.
PHP.net is more and more turning into Microsoft (more than 3 months to
resolve critical security problems). I guess that comes with the
involvement of Enterprise companies.
The patches for security holes are usually in within a week, if you
want to fetch them you can do so either in a form of a PHP snapshot
of a specific patch from CVS. To make releases every-time we get
security fault is impractical. Like most other projects a number of
security fixes is combined into group and when a group is
sufficiently large a release is made. None of the bugs resolved were
super-critical issues such as remote code execution, which would
indeed warrant something like an emergency release just for that
particular patch.
Ilia
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
