On Sun, 6 May 2007 14:38:38 -0300 "Alex Queiroz" <asandroq@gmail.com> wrote: > Hallo, > > On 5/6/07, Neil Williams <linux@codehelp.co.uk> wrote: > > > > This isn't about PHP, it isn't about copyright, it is simply a bad > > package that was badly thought out and badly implemented with the wrong > > design in mind. The idea of a web server written in PHP is ludicrous. > > > > Debian should and does censor daft programming. Just because you can, > > does not mean you should. > > > > I'm confused. You say this isn't about PHP but then adds that the > idea of a PHP webserver is ludicrous. It isn't about PHP: I have nothing against other PHP packages in Debian - they play to the strengths of PHP, not its weaknesses. It is about the choice of PHP for this specific package. Not all programming languages can or should be used for all programming tasks. PHP is fine for certain tasks, it is awful (i.e. buggy) at others. The idea of writing a webserver in PHP is plain daft. PHP is not a sane choice for such a project. The reason for that is obvious from my other replies and you agree with those reasons: > But as others said, it seems that PHP packages are particularly > prone to bugs. Now, THAT'S a good criterion. PHP is susceptible to particular kinds of bugs that would affect a PHP webserver more than most PHP applications, which would be more severe in a PHP webserver than in most PHP applications and which would highlight the crazy idea to use PHP for this project in the first place. Allowing this kind of package into Debian would make a laughing stock out of Debian QA. Ubuntu have it, lovely - they can keep it IMHO. Keep PHP doing what it does well - don't push it into areas where it is acknowledged as weak. > I do not write in PHP, I do not > even like the language, Then maybe this is down to a lack of use of the language in question on your part. I do use PHP - I use it a lot, almost as much as C - I do like to write certain things in PHP but I would never have dreamt of writing a webserver in PHP - as a PHP programmer of some 7 years, the very idea scares me witless. I was writing PHP long before I became a DD. I've made mistakes in PHP that have involved some very nasty problems and I know from personal experience that PHP is NOT a good language for projects that have any kind of security requirements. A webserver is probably THE most important program running on most Debian servers, from a security perspective. If an attacker wants to own your server, the first door he will probably try is port 80 - nanoweb. You might as well just give the box a blank root password and allow root login. Debian does NOT need that kind of headache. > but I find the criterion "What? They wrote > <software> in <language>? That's putrid!" to refuse packages a very > short-sighted one. Why? It flows inexorably from the acknowledged fact that PHP is afflicted with more than a fair share of security bugs, allied to the fact that a webserver is a particularly BAD place to have a package that is known to be very vulnerable to security bugs! nanoweb is a ludicrous project because: 1. PHP is known to be a source of problematic security bugs. 2. webservers are not good places for security bugs. 3. nanoweb upstream decided that despite the two well known problems above, that PHP would make a good choice for their webserver. It's not short-sighted, it is practical. You cannot overcome the limitations of the language within the package. Putting such security bugs into a server process that is accessible to the entire internet, that is KNOWN to be vulnerable to security attack and which CANNOT be fixed reliably (because of the limitations of that language) is ludicrous. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
pgpACTQEsm08t.pgp
Description: PGP signature