> I'm sorry, but this is simply outrageous. It is a programmer's
> responsibility to code securely. It's not absurd, it's reality. If
> you can't program securely, you shouldn't be programming.
No, the reality is that (most) PHP users (most of whom are consuming
someone else's code to some degree) assume that making an SSL
connection means "secure."
It is absurd to claim otherwise. In fact, _we are agreeing that that
assumption should always have been correct_ by changing the default
behavior in PHP!
How can you possibly "blame" users and "fix" the behavior at the same
time?
> Your blaming of PHP is significantly misplaced.
No, it is not.
If it were, this patch would not exist, for it has ALWAYS been
possible to create a peer-verified outbound connection from PHP.
You cannot at once place blame only on the developer and make a core
change so the language is "the way it should always have been."
-- S.