Date: Mon, 21 Nov 2016 19:40:12 +0000 From: Ben Tasker <ben@...tasker.co.uk> To: oss-security@...ts.openwall.com Subject: Re: WordPress (all versions): SPOF, RCE, and Negligence Hi Michael, On 21 Nov 2016 18:45, "Michael Babker" <michael.babker@...il.com> wrote: > > > While I can somewhat understand why the Linux distributions choose the > model they use for their "long term support" packages, it honestly does a > disservice to those of us who now have to defensively code around it. We > can no longer rely on a package's version to accurately represent the state > of the code base. I agree, and truth be told I think there's some ground to be given on either side. There are good reasons for using stable distros, but as you say it makes it very hard to build something when you can't rely on version numbers to identify patch levels. > > I was Joomla's release lead at the time this decision was made. We did not > arbitrarily choose a PHP version number, arbitrarily locking out vendor > modified PHP builds distributed with the LTS distros, just because we > wanted to. Sorry, didn't mean to make it sound like it was arbitrary. I know the reasoning was based on available functionality vs required fuctionality. > While I understand where you are coming from, to be quite frank, I don't > believe the PHP ecosystem and its major players can continue to cater to > these modified PHP builds as might have been expected in years past. The problem is that these builds still constitute the majority of your target market. It'll start to improve for a while due to Jessie and CentOS7 having a higher version, but as those approach EOL the same issue will probably come up again. The average user who just buys hosting doesn't have an awful lot of control over what the hosts run either (though things do actually seem to be improving in this regard) I don't have a good answer as to what the solution is. There're very good reasons for the LTS approach, but you're right about it being a untenable position. I am inclined to think it should be down to the distros to find a resolution for, whether through exposing a reliable means to check functionality level or some other means
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.