[PLUG] PHP bugs.

Ronald Chmara ron at Opus1.COM
Fri Oct 12 04:01:47 UTC 2007


On Oct 10, 2007, at 11:12 PM, Brent Rieck wrote:
> Ronald Chmara wrote:
>> If you're not at 5.2.4 (or a patched equivalent), you're running bad
>> code, with literally *thousands* of security and stability patches
>> omitted.
>
>
> Ronald Chmara wrote:
>> Pretty close, but not the whole picture. Let me tell you about snaps,
>> and the php bug life cycle. (Others reading this can point and  
>> laugh.)
>
> Hmm.  I guess I still don't "get" or "believe" your math then..

I'll simplify, without explaining the "why", then:
Over 100K lines of diff between two "minor" revisions (5.2.3 and  
5.2.4) is not (in my mind)  "a few patches", or even a few hundred  
patches. It is thousands. Keep in mind that PHP is up to 65Mb for an  
uncompressed *source* download (of mostly C code, can't totally blame  
OO bloat) for an idea of the sheer scale involved.

> it
> sounds like a way to inflate the number of bugs in software to  
> scare the
> bejesus out of people..

Oh, no fear. Just try to stay current. Please.
  <http://www.php.net/manual/en/security.current.php>

If you have backups and don't *mind* being compromised, because you  
have *very good reasons* to run known insecure software, it's all good!

Now, as far as issues listed as "bugs" that were publicly reported  
and closed, the (reported under) 5.2 tree has 562 closed issues, the  
larger 5.x tree has 3,145 closed issues, and 319 open issues (that  
doesn't count bugs open since the 4.x tree).

I'd guess where our thinking, and our perceptions, aren't lining up  
is in the difference between calling something a "bug" and calling  
something, oh, an update, a feature improvement, a stability  
improvement, a "typo patch", a "new unit test feature", or any number  
of other clever euphemisms for saying "this code was broken/wrong in  
some way and had to be altered".

To further reduce the issue, best as I can tell, you are looking at  
dumbed-down changelogs, I am looking at actual code changes, and the  
two simply don't line up. They're not even in the same ballpark.

> I'm not sure why, particularly when 99.999% of
> the users of mature software don't download every snapshot the
> developers pinch off.

Yes, but hopefully (not!) 99.99% of the admins and users download the  
latest security-patched version, to avoid being exploited with  
*publicly* known security holes.

*sigh*

Here, enjoy:
http://www.php-security.org/

-Bop




More information about the PLUG mailing list