[ale] Well, this does nothing for the reputation of Linux

Andy Borgmann andy at borgmann.me
Mon Jul 22 10:15:49 EDT 2013


Mike -

Well maybe I should look into C ;)

No need to get defensive.  I am not "minding" you, and I am sure you are a
great programmer and have more experience than me.  My only point in this
is that PHP is not inherently insecure.  Not saying it is better than C or
Java or Python.  All I am saying is that the security flaws in PHP have
more to do with poorly written code that is publicly viewable to the world
than the system itself, and that the examples provided thus far haven't
convinced me that it is any less secure than I originally knew other than
less qualified people use it due to the low barrier of entry.

And I would very much be interested in what you know about HipHop, because
everything I have read about it and looked into relates to performance, not
security.

*
*
*--*
*Andy Borgmann*

E-mail: andy at borgmann.me
Cell Phone: (404) 492-6527
Personal Website: http://andy.borgmann.me/<http://andy.borgmann.me/?r=email>

"*Preach the Word; be prepared in season and out of season; correct,
rebuke and encourage - with great patience and careful instruction.*" -
2Timothy 4:2


On Mon, Jul 22, 2013 at 10:09 AM, Michael B. Trausch <mbt at naunetcorp.com>wrote:

>  On 07/22/2013 09:57 AM, Andy Borgmann wrote:
>
> Facebook hasn't had any hacks that I am aware of.  I know they release a
> lot of information via Graph and other areas, which leads many of us to
> feel uncomfortable with there security practices.  But it seems all the
> information that is released, is released by design.  And I don't see how
> just because they run PHP through HipHop (which they created) to run there
> code through C and C++ for *performance reasons* makes it anymore secure
> than standard PHP?
>
>
> Relevant quote, with emphasis added:
>
>
> Facebook does not run the official PHP, *they run a subset of it* that is
> then compiled, if memory serves, to C++ and then compiled to system code.
>
>
> Last I checked, there were two major categories of things they left out;
> first one being things that were too difficult to implement (but I think
> they got those later), and the second, they removed functionality that
> serves little purpose other than to install security flaws in code.  There
> is some overlap between the two categories, but remember that HH is a
> subset of PHP (and in some cases, even a superset—static type checking, á
> la Python, significantly reduces security flaws due to silent coercion, for
> example).
>
> But, don't mind me.  I've only been programming in several languages for a
> little over two decades and writing production applications for the last
> decade.  I've used C, C#, Java, Python and PHP enough to be able to give a
> fair amount of comparison between them (with my C++ being out of date as I
> haven't seriously used it in about five years).  And I know more languages
> than that, albeit not at the level of what I would call "native fluency"
> yet.
>
> PHP is making some improvements, but they have a long way to go before
> they are secure by default.  And even further to go before they have an
> audience that is secure by default, which is an intractable problem.
>
> In short, PHP applications can be made provably secure by tailoring the
> language to the audience it has.  Those who can program PHP properly are
> probably also pretty good C programmers, or would be if they aren't already.
>
>     — Mike
>
>
> --
>   [image: Naunet Corporation Logo]  Michael B. Trausch
>
> President, *Naunet Corporation*
> ☎ (678) 287-0693 x130 or (888) 494-5810 x130
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/e97b3480/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hdfjbdbj.png
Type: image/png
Size: 1701 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/e97b3480/attachment-0001.png>


More information about the Ale mailing list