On Wed, 2008-08-27 at 19:30 +0200, Thijs Kinkhorst wrote: > On Wednesday 27 August 2008 19:02, Neil Williams wrote: > > 3. You're asking for sponsorship of PHP packages which are a security > > nightmare (esp. wordpress that had a huge flamewar around the time of > > the Etch release due to security issues). Many sponsors are justifiably > > wary of PHP packages after seeing many others being flamed to a crisp by > > the security team and ftp-master team. Personally, I won't touch PHP > > packages ever again - I'm reconsidering my own PHP in favour of perl and > > if I could do without php on my own servers, I would. > > Although there are PHP applications that are a security nightmare, there are > well-written applications just as well. This goes for any programming > language. OK, PHP has more than a fair share but, yes, there are some good PHP applications. However, the reputation of PHP is enough to hinder sponsorship of new PHP packages, IMHO. New PHP packages, in my experience, are extremely unlikely to be of sufficient quality to compare with the few good PHP packages that exist in Debian. Even good PHP applications have more security implications than a good C package, IMHO. I've heard of Ruby-on-rails being discussed in the same worried tones as PHP but I don't know Ruby. I know PHP, I write PHP, I could sponsor PHP but I won't because the security implications of PHP would keep me awake at night. As I said, I have enough worries about what little PHP I use myself. > Plus, I've surely not seen anyone being "flamed [...] by the security team", > let alone "to crisp", (Some of that happened off-list and one of the people involved is well-known to me due to interests outside Debian. I can vouch that some of the off-list stuff was easily described as 'flaming to a crisp'.) > let even further alone those "many" people you're > talking about, and find the suggestion that we would act in such a way a bit > offensive. Mentors might not, others certainly have done. It doesn't serve the list to pretend that security and PHP are not poor bedfellows or that PHP will not invite some very firm, very pointed and extremely critical responses outside this list. > Please, this mailinglist is intended as a friendly place to get help and > sponsorship on your packages. It would be helpful to write in a more balanced > tone than you used in this email. There is a difference being friendly and being firm. There are clear problems that, IMHO, sufficiently explain the reasons for not looking at any PHP packages at this time. I don't care if I do dismiss PHP without review - I think that requests to sponsor PHP deserve to be dismissed unseen at this time, for the reasons I have already explained. I strongly recommend any maintainer on this list and waiting for a sponsor, to look exclusively at existing packages rather than new and specifically at packages that have RC bugs at the expense of anything else. Right now, NEW packages simply do not matter. IMHO, until Lenny is released, NEW == waste of time and a new PHP package is even worse, let alone TWO. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
Attachment:
signature.asc
Description: This is a digitally signed message part