[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] PHP Alternatives?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1




On Mon, 16 Jul 2012, Jonas Smedegaard wrote:

> On 12-07-16 at 02:06pm, Ben Mendis wrote:
>
> Is it me you call silly?

I think the argument that the language can be used as a determining
factor or even as a metric for the security of an application is silly.
If you want to take that personally, go right ahead. But I don't know
you so I wasn't commenting on you specifically.

> I believe I did not argue that security is only an issue with PHP, or
> argue that the PHP _language_ is all that matters.

No, but you did strongly imply that applications written in PHP have a
higher risk of security flaws (presumably in comparison to some unnamed
alternative languages), which is what I take issue with. Do you have
metrics to support that claim? Because in my experience, and the
experience of recognized professionals in the security field, the
language used to build an application is not a strong indicator of how
secure the application is.

>
> Yes, it is _possible_ to find bad, insecure code in any language.
>
> Yes, it is _possible_ to secure PHP.
>
> But what is your point?  That it is equally likely to find bad, insecure
> code anywhere, in any language and using any coding style?
>

My point is that throwing out and re-implementing an entire code base
(or several) because of language elitism and security superstition is
probably a mistake. If the only thing that is wrong with these
applications is that you don't like the language they were written in,
then I would say that there is nothing wrong with them at all. If they
have actual flaws which you can identify, then fix them in the existing
code base with the existing language. I have not seen any objective
evidence so far that indicates re-implementing these projects from
scratch in any other language would be any more efficient than
maintainging the existing code.

Arguing which languages or coding styles do or don't produce secure code
is a religious argument, unless you have objective metrics to back up
your claims. And frankly, unless you're the one putting in the hours to
do the rewrite then the discussion is just bikeshedding anyways.


Also, I'll point out again, I'm still not talking about you personally,
I'm talking about the discussion and its participants in general (which
now includes myself). Arguing religion doesn't solve problems; solving
problems solves problems.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJQBN4sAAoJEMco5sYyM+0wqsMH/2r+jqaXchSabulnnYqEv7zH
mD+i5MbTz1cB9qj0H33ca7n6UIgmML+Ez3Ts7Fy46k561m3zKJGJauKJyq9/kNGH
UxabTvQRM7d31j66vpuvZ6RTm8Pgg56zd/rc5ReMJn29HCbKZU4PcMsvJDVNwQQk
ll6S0R8V74SEtqCfbBB/UpYPzAlHjQxCJRf0nQ16vsfBaliuIhfkY1iFp6+/0uUq
4dRHvmHGzzw6F4FWEM7976954G7XZn2iksn7MdFzCXP2NDJYAl30YTPZObKGqVNH
wI1R/xp0ne9HNYp+kNgscHkzAeadtqn+6zK3WbPMX8/vUscRUK53lZNsVaF+qjg=
=1Kab
-----END PGP SIGNATURE-----
Reply to: