[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Copyright issues GPL-PHP license

On Sun, 6 May 2007 14:38:38 -0300
"Alex Queiroz" <asandroq@gmail.com> wrote:

> Hallo,
> On 5/6/07, Neil Williams <linux@codehelp.co.uk> wrote:
> >
> > This isn't about PHP, it isn't about copyright, it is simply a bad
> > package that was badly thought out and badly implemented with the wrong
> > design in mind. The idea of a web server written in PHP is ludicrous.
> >
> > Debian should and does censor daft programming. Just because you can,
> > does not mean you should.
> >
>      I'm confused. You say this isn't about PHP but then adds that the
> idea of a PHP webserver is ludicrous.

It isn't about PHP: I have nothing against other PHP packages in Debian
- they play to the strengths of PHP, not its weaknesses.

It is about the choice of PHP for this specific package.

Not all programming languages can or should be used for all programming
tasks. PHP is fine for certain tasks, it is awful (i.e. buggy) at

The idea of writing a webserver in PHP is plain daft. PHP is not a sane
choice for such a project. The reason for that is obvious from my other
replies and you agree with those reasons:

>     But as others said, it seems that PHP packages are particularly
> prone to bugs. Now, THAT'S a good criterion.

PHP is susceptible to particular kinds of bugs that would affect a PHP
webserver more than most PHP applications, which would be more severe
in a PHP webserver than in most PHP applications and which would
highlight the crazy idea to use PHP for this project in the first
place. Allowing this kind of package into Debian would make a laughing
stock out of Debian QA. Ubuntu have it, lovely - they can keep it IMHO.

Keep PHP doing what it does well - don't push it into areas where it is
acknowledged as weak.

> I do not write in PHP, I do not
> even like the language,

Then maybe this is down to a lack of use of the language in question on
your part. I do use PHP - I use it a lot, almost as much as C - I do
like to write certain things in PHP but I would never have dreamt of
writing a webserver in PHP - as a PHP programmer of some 7 years, the
very idea scares me witless.

I was writing PHP long before I became a DD. I've made mistakes in PHP
that have involved some very nasty problems and I know from personal
experience that PHP is NOT a good language for projects that have any
kind of security requirements. A webserver is probably THE most
important program running on most Debian servers, from a security
perspective. If an attacker wants to own your server, the first door he
will probably try is port 80 - nanoweb. You might as well just give the
box a blank root password and allow root login. Debian does NOT need
that kind of headache.

> but I find the criterion "What? They wrote
> <software> in <language>? That's putrid!" to refuse packages a very
> short-sighted one.

Why? It flows inexorably from the acknowledged fact that PHP is
afflicted with more than a fair share of security bugs, allied to the
fact that a webserver is a particularly BAD place to have a package
that is known to be very vulnerable to security bugs!

nanoweb is a ludicrous project because:
1. PHP is known to be a source of problematic security bugs.
2. webservers are not good places for security bugs.
3. nanoweb upstream decided that despite the two well known problems
above, that PHP would make a good choice for their webserver.

It's not short-sighted, it is practical. You cannot overcome the
limitations of the language within the package. Putting such security
bugs into a server process that is accessible to the entire internet,
that is KNOWN to be vulnerable to security attack and which CANNOT
be fixed reliably (because of the limitations of that language) is


Neil Williams

Attachment: pgpACTQEsm08t.pgp
Description: PGP signature

Reply to: