Re: ampache security audit
Thijs Kinkhorst wrote:
> On Wednesday 4 July 2007 06:28, Charlie wrote:
>
>> "Especially for such **insert curse words here** languages like php".
>>
>> Why do you feel that php is a **insert curse words here** language?
>>
>> If PHP is such a **insert curse words here** language, then why does Debian
>> allow apps such as roundcube and gallery2, to mention a few, into the
>> repos?
>>
>> Which language would you recommend using and why do you recommend it?
>>
>
> I think Bernd has used unfortunate words to express that in his opinion, it's
> easier in PHP to create security bugs in your code.
>
> I only agree to that to a limited extent. The most important problem, register
> globals, has been resolved (Debian tells users not to use that setting or be
> on their own). However, it is true that it's easy to start coding in PHP so
> there's a higher level of inexperienced programmers. It's also true that web
> applications in general are more vulnerable to bugs, but this is not
> PHP-specific.
>
> A traditional language like C also has its own classes of security problems.
>
> You should be careful with any package you upload to Debian, and specifically
> web applications. I do not recommend other languages than PHP that are
> supposedly 'better', because the security of the app depends so much more on
> the programmers than on the actual language used.
>
> You could say that the easiness of PHP selects in favour of less experienced
> programmers, so an audit can be worthwhile.
>
> It helps no-one to be cursing at specific languages and I don't see the added
> value of that to this list.
>
>
> Thijs
>
I stand corrected, and I apologize for my conduct.
Charlie
Reply to: