Hi Yasuo, On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray <array...@gmail.com> wrote: > >> I think there really should be a vote. > > > This means you don't really understand the true risk of this vulnerability. > It allows permanent session ID fixation. This is CVE assigned > vulnerability. > Details are explained in the RFC and I don't want to explain fully in ML > again. > (We might discussed the details in secur...@php.net, but I think I wrote > enough info) > > Please refer to the RFC. > I do really understand the risk... I'm saying there should be a vote not on whether or not to fix it, but on how to fix it. Ideally we can figure out something we're all happy with and don't need to vote, but while we so evidently disagree, I think we do. I'm not going to repeat my arguments against the committed solution yet again, but I really think we need a better one. Arpad
