Re: Re: Windows Peer Verification

From:	Sanford Whiteman	Date:	Mon, 03 Feb 2014 20:34:38 +0000
Subject:	Re: Re: Windows Peer Verification
References:	1 2 3	Groups:	php.internals
Request:	Send a blank email to [email protected] to get a copy of this message

> No one is arguing against ease-of use here.

PHP users may now need to have write access to PHP.INI in order to not
get logs filled with security warnings, for the same code that
previously did not issue a warning. Or else they need to change all
outbound stream code, which in many cases isn't even theirs to safely
change.

This isn't ease-of-use. This is hardening security at the cost of
ease-of-use for some users. We must call it what it is.

> Have you read the relevant RFCs? 

I was the one who told you the Peer Verification RFC would break the
official WPI package (break == E_WARNING without end) and nobody cared
then. Now it's like a minor after-the-fact surprise after the RFC was
accepted.

This thread itself actually surprised me: I honestly didn't think you
cared about the issue at all. Figured the next we'd hear about it
would be in WONTFIXes on the bug tracker with directions to download
the CA bundle. I'm psyched I got the earlier heads-up on Internals,
and I don't worry about our servers because I have full control. Other
users don't and you will upset them. I am not saying these changes to
PHP are not advisable. They are! But how can you be "befuddled" when
you started a thread that notes that Windows users may need to have
sysadmin privileges -- else they will be constantly reminded that they
don't?

> Please just take sixty seconds to at least read this one part then
> come back and tell me I'm making it *more difficult* for the average
> user to make secure transfers. 

We will have made it easier for PHP users to either

[a] make secure transfers

or

[b] fill up their logs with warnings

The "average" user will fit into [a] per recent PHP statistics (at
least on the production side) so yeah, the "average" user will see a
major benefit.

How many users need to fit into [b] for you to acknowledge that this
rollout is going to be less than fully successful -- not a failure,
just not an unqualified success -- unless we take those users
seriously?

> Instantly discounting those is a myopic approach. You can't just
> instantly rule out that bundling a file might not be feasible.

It's fine to not bundle a file.

It's not fine to pretend that warnings will not be endlessly spewed on
Windows without a file.

It's not fine to suppress these warnings on Windows but not elsewhere.

-- S.



   

Thread (53 messages)

• Daniel LowreyMon, 03 Feb 2014 18:08:26 +0000
  • Pierre JoyeMon, 03 Feb 2014 18:25:33 +0000
    • Daniel LowreyMon, 03 Feb 2014 18:46:38 +0000
      • Pierre JoyeMon, 03 Feb 2014 18:49:33 +0000
        • Ferenc KovacsMon, 03 Feb 2014 19:00:44 +0000
      • Sanford WhitemanMon, 03 Feb 2014 18:59:38 +0000
        • Pádraic BradyMon, 03 Feb 2014 19:33:54 +0000
  • Sanford WhitemanMon, 03 Feb 2014 18:35:22 +0000
  • Chris WrightSat, 22 Feb 2014 00:31:28 +0000
    • Daniel LowreySat, 22 Feb 2014 00:58:44 +0000
    • Pierre JoyeSat, 22 Feb 2014 08:30:11 +0000
      • Chris WrightSat, 22 Feb 2014 10:51:14 +0000
        • Daniel LowreySat, 22 Feb 2014 13:12:40 +0000
        • Pierre JoyeSat, 22 Feb 2014 13:19:27 +0000
          • Chris WrightSat, 22 Feb 2014 22:59:30 +0000
          • Jakub ZelenkaSun, 23 Feb 2014 15:25:27 +0000
    • Ferenc KovacsTue, 25 Feb 2014 16:38:51 +0000
    • Chris WrightWed, 26 Feb 2014 09:48:38 +0000
      • Anatol BelskiWed, 26 Feb 2014 10:39:04 +0000
        • Chris WrightWed, 26 Feb 2014 11:09:31 +0000
          • Anatol BelskiWed, 26 Feb 2014 11:35:07 +0000
            • Chris WrightWed, 26 Feb 2014 11:57:27 +0000
              • Anatol BelskiWed, 26 Feb 2014 15:37:05 +0000
                • Chris WrightSun, 02 Mar 2014 21:07:19 +0000
• Daniel LowreyMon, 03 Feb 2014 19:19:36 +0000Re: Windows Peer Verification
  • Daniel LowreyMon, 03 Feb 2014 19:27:01 +0000
    • Pierre JoyeMon, 03 Feb 2014 19:39:31 +0000Re: Re: Windows Peer Verification
  • Sanford WhitemanMon, 03 Feb 2014 19:33:39 +0000Re: Re: Windows Peer Verification
    • Daniel LowreyMon, 03 Feb 2014 19:44:01 +0000
      • Sanford WhitemanMon, 03 Feb 2014 20:34:38 +0000
      • Daniel LowreyMon, 03 Feb 2014 21:45:44 +0000
        • Sanford WhitemanMon, 03 Feb 2014 22:17:26 +0000
          • Sanford WhitemanMon, 03 Feb 2014 22:21:08 +0000
          • Pádraic BradyMon, 03 Feb 2014 23:41:02 +0000
            • Sanford WhitemanMon, 03 Feb 2014 23:56:46 +0000
              • Pádraic BradyTue, 04 Feb 2014 00:29:29 +0000
                • Sanford WhitemanTue, 04 Feb 2014 00:32:39 +0000
            • Sanford WhitemanTue, 04 Feb 2014 00:05:03 +0000
              • Sanford WhitemanTue, 04 Feb 2014 00:36:12 +0000
        • Pierre JoyeTue, 04 Feb 2014 05:46:47 +0000
          • Sanford WhitemanTue, 04 Feb 2014 05:58:40 +0000
            • Pierre JoyeTue, 04 Feb 2014 06:14:43 +0000
              • Lester CaineTue, 04 Feb 2014 07:38:31 +0000
                • Pierre JoyeTue, 04 Feb 2014 07:39:14 +0000
                  • Lester CaineTue, 04 Feb 2014 07:57:24 +0000
                    • Pierre JoyeTue, 04 Feb 2014 08:00:12 +0000
                      • Lester CaineTue, 04 Feb 2014 08:29:53 +0000
                        • Pierre JoyeTue, 04 Feb 2014 08:35:19 +0000
                          • Lester CaineTue, 04 Feb 2014 09:03:02 +0000
                            • Pierre JoyeTue, 04 Feb 2014 09:24:06 +0000
                              • Sanford WhitemanThu, 06 Feb 2014 06:13:39 +0000
                                • Ferenc KovacsThu, 06 Feb 2014 14:09:49 +0000
  • Sanford WhitemanMon, 03 Feb 2014 19:37:49 +0000Re: Re: Windows Peer Verification