Stefan,
I don't see why this attack is directed at Zend people working on
PHP, where the release process is completely a community driven
effort (and last time I checked, no enterprise was involved in that
process either).
I agree the release process isn't perfect yet, and it becomes
increasingly hard as PHP grows, but your points would be better made
if they were not directed against individual contributors but as an
email to raise general awareness and discussion.
Ilia for one works hard and does his best (probably better than any
release manager before him) to juggle between the various issues and
priorities of each release.
Andi
At 06:39 AM 5/15/2006, Stefan Esser wrote:
Hello,
okay, mistakes happen everyday but it really sucks that PHP.net
continues trying to hide mistakes.
1) PHP 5.1.4 was released with a nonsense announcement claiming that
there was only a problem with POST arrays or POST fileuploads.
-> In reality a paid Zend developer had destroyed the handling of
arrays in any kind of user input in PHP 5.1.3 completely. Ironically
after that incident another Zend man came forward and dares to say "I
don't trust our core testers anymore"
2) PHP 5.1.4 was lacking the PEAR installer which resulted in make
install downloading the file from the web.
a) this part should be removed from the make file completlely
because 'make install' is usually executed as root and under no
circumstances should download a file from an insecure HTTP source.
b) this fact was again hidden by silently replacing the PHP 5.1.4
tarball with a new one, after the other one was out for more than a week.
PHP.net is more and more turning into Microsoft (more than 3 months to
resolve critical security problems). I guess that comes with the
involvement of Enterprise companies.
Yours,
Stefan Esser
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
