[PLUG] PHP bugs.
Ronald Chmara
ron at Opus1.COM
Fri Oct 12 04:01:47 UTC 2007
On Oct 10, 2007, at 11:12 PM, Brent Rieck wrote:
> Ronald Chmara wrote:
>> If you're not at 5.2.4 (or a patched equivalent), you're running bad
>> code, with literally *thousands* of security and stability patches
>> omitted.
>
>
> Ronald Chmara wrote:
>> Pretty close, but not the whole picture. Let me tell you about snaps,
>> and the php bug life cycle. (Others reading this can point and
>> laugh.)
>
> Hmm. I guess I still don't "get" or "believe" your math then..
I'll simplify, without explaining the "why", then:
Over 100K lines of diff between two "minor" revisions (5.2.3 and
5.2.4) is not (in my mind) "a few patches", or even a few hundred
patches. It is thousands. Keep in mind that PHP is up to 65Mb for an
uncompressed *source* download (of mostly C code, can't totally blame
OO bloat) for an idea of the sheer scale involved.
> it
> sounds like a way to inflate the number of bugs in software to
> scare the
> bejesus out of people..
Oh, no fear. Just try to stay current. Please.
<http://www.php.net/manual/en/security.current.php>
If you have backups and don't *mind* being compromised, because you
have *very good reasons* to run known insecure software, it's all good!
Now, as far as issues listed as "bugs" that were publicly reported
and closed, the (reported under) 5.2 tree has 562 closed issues, the
larger 5.x tree has 3,145 closed issues, and 319 open issues (that
doesn't count bugs open since the 4.x tree).
I'd guess where our thinking, and our perceptions, aren't lining up
is in the difference between calling something a "bug" and calling
something, oh, an update, a feature improvement, a stability
improvement, a "typo patch", a "new unit test feature", or any number
of other clever euphemisms for saying "this code was broken/wrong in
some way and had to be altered".
To further reduce the issue, best as I can tell, you are looking at
dumbed-down changelogs, I am looking at actual code changes, and the
two simply don't line up. They're not even in the same ballpark.
> I'm not sure why, particularly when 99.999% of
> the users of mature software don't download every snapshot the
> developers pinch off.
Yes, but hopefully (not!) 99.99% of the admins and users download the
latest security-patched version, to avoid being exploited with
*publicly* known security holes.
*sigh*
Here, enjoy:
http://www.php-security.org/
-Bop
More information about the PLUG
mailing list