Hi, considering that I am the antichrist and eat little children it maybe is better to quote Lord Voldemort instead of Harry Potter. "Don't you turn your back on me Harry Potter, I want you to look at me when I kill you, I want to see the light leave your eyes"
Back to serious. it is nice Reindl that you defend me, but you will not convince people like MM. And you don't have to. Suhosin is not a religion or a Harry Potter movie. If he does not trust me, then he is free to not use it. No one forces anyone to do anything. At least not from my side. Beside the fact that Suhosin is open source and he can audit it himself, or is he not qualified to do it? I explained on Twitter that I would be pretty stupid to try to hide security bugs, because there are enough people out there that would see this and use it to clown me. Regards, Stefan Am 06.02.2012 um 17:22 schrieb Reindl Harald: > > > Am 06.02.2012 17:10, schrieb Michael Morris: >> >> >> On Mon, Feb 6, 2012 at 10:32 AM, Reindl Harald <h.rei...@thelounge.net >> <mailto:h.rei...@thelounge.net>> wrote: >> >> first: do not top-post if you get a reply below >> >> second: >> in the context of suhosin "when mistakes get made by such a person, >> they are hidden away rather than honestly reported" is bullshit >> at it's best >> >> * look at the disclosure below >> * look at the author >> * look at the way it was made >> >> if only 10% of developers would work like Stefan most software >> out there would be much better as it is and was all the last years >> and if someone has this attitude and knowledge is see no single >> problem and understand fully that he is frustrated >> _______________ >> >> Author: Stefan Esser [stefan.esser[at]sektioneins.de >> <http://sektioneins.de>] >> >> Disclosure Timeline: >> 12. January 2012 - Vulnerability was found during an internal audit >> 14. January 2012 - Vulnerability was fixed in the source code >> 19. January 2012 - Public Disclosure >> >> >> This underscores my fears. Public disclosure was only made once the fix was >> composed seven days after >> discovery, and that's presuming the stated date of discovery is honest. As >> it is an "internal" audit, who knows >> other than Stefan? You can take his word. I won't. > > if you anwer to a list mail answer to the list and not private damend! > > would it have been better to make a full disclosure before > having a fix to help attackers? if this is your opinion > you are a foolsih idiot, sorry but no other words for that > > this does even not happen if the one found a exploit notifies the > vendor of the software and especially not if the one who found IS > the vendor and the one who will fix it > > you said "when mistakes get made by such a person, they are hidden away > rather than honestly reported" which is NOT underscored because if > it would be the truth the disclosure from Stefan would not exist and > he only had released a new version with a "fixed some small bugs" > comments and not more > > > > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
