Hey, > > The code in the release did not change on bit, the only change was the > inclusion of the missing phar file, this hardly warrants 5.1.5 or even > 5.1.4pl1. This will have no impact of people who have already > downloaded and installed PHP, nor will this impact people who have yet > to download PHP. > It will have an effect on everyone using f.e. gentoo linux or BSD port system, because mysteriously the hash of the tarball changed and people will get warnings about modified tarballs. It also has the effect that I am getting emails from people asking me if PHP.net was backdoored, because the MD5 hash changed.... And if you want to change tarballs and don't change the version number (which is considered very bad by many people) then atleast WARN people about the modified tarball. A simple message: tarball was missing PEAR and was therefore rerolled is not so bad...
> The patches for security holes are usually in within a week, if you > want to fetch them you can do so either in a form of a PHP snapshot of > a specific patch from CVS. To make releases every-time we get security > fault is impractical. First the zend_hash_del() bug caused remote code execution in a bunch of popular PHP scripts. Secondly most open source projects release security bugfix releases. PHP.net on the other hand doesn't do this anymore. There are no security only fixes anymore. Instead we release not properly tested new versions of PHP that break tons of servers. (fastcgi ....) And well... I still see no PHP 4.4.3 on PHP.net... However we still offer the PHP 4.4.2 tarball (knowing that it has critical security holes). So either we release a security FIX release or we kick the tarball and declare PHP4 unsupported from now on. Yours, Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
