[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian Wheezy Compromised - www-data user is sending 1000 emails an hour

 Hi.

On Wed, 25 Dec 2013 12:02:50 +0100
Raffaele Morelli <raffaele.morelli@gmail.com> wrote:

> > > IMHO your claim is a little bit conceited, it sounds like a self-styled
> > web
> > > developer "guru" talking to his ego.
> >
> > Have I offended you somehow? Why this personal attack?
> >
> 
> Nothing personal, just a reminder to be humble when offending thousands of
> people writing webapps in php.

Glad we have this sorted out then. My apologies, just in case.
As for thousands of PHP developers I believe you're underestimating the
actual number by several orders of magnitude. It's more like hundreds
of thousand.

> 
> 
> >
> > Still, the only thing that I know about PHP is one should stay clear of
> > it unless necessary. And even in the last case, one should avoid using
> > PHP for any purpose.
> >
> 
> So you don't know nothing of php but you are relying on debian and seclist
> bug reports to say one should stay clear of it (may we have to stay clear
> from hundreds of other packages listed there? )

I wouldn't say I know nothing about PHP. I'd say 'I know enough'.
Whenever 'we' should 'stay clear' of something is up to those 'we' to
decide.


> 
> 
> > This opinion comes from:
> >
> > http://www.debian.org/security/
> > http://seclists.org/bugtraq/
> > http://seclists.org/fulldisclosure/
> >
> > And last, but not least:
> >
> > http://me.veekun.com/blog/2012/04/09/php-a-fractal-of-bad-design/
> 
> 
> The internet is full of that "Hey this is cool, this is shit" stuff, the
> poster hates php and loves python and perl. With a little googling you can
> find similar posts for other languages.

My, my. Disregarding well-known Bugtraq and Full-Disclosure just like
that… Those guys and gals deserve better, trust me on this.

Still. During 2013 (I think we can disregard last week of the year
safely), php5 package (a source package, mind you, lots of stuff is
built from it) got four Debian Security Advisories.

During the same 2013, ruby-1.8 got one, ruby-1.9 got two, perl got one,
python got zero.

And Debian Security team doesn't like to write one DSA for one
vulnerability, they prefer to shovel several of them into one DSA.

Now, that's only Debian-acknowledged security problems, which concern
stable (maybe oldstable). And only the implementation of language
itself.

Some more numbers:

All known CVEs for php (4993):
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=php 

For ruby (162):
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ruby

For perl (189):
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=perl

For python (139):
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=python


That's what I meant when wrote about 'security record of PHP' and
'"wise and skilled" cannot be applied to a majority'.


> > PS I'm not a developer. I'm that guy they call to clean up the mess
> > that developers wrote.
> >
> 
> Right, you "clean up the mess that developers wrote", not the mess the
> programming language caused.

Whenever the programming language itself is good or bad is irrelevant
indeed. Now, whenever the programming language in question is an
entry-level or not - that makes difference.
Because - the less skill and experience programming language requires -
the more messy the end result would be. And the more work it means to
me.

Reco
Reply to: