oss-sec mailing list archives
Re: WordPress (all versions): SPOF, RCE, and Negligence
From: Ben Tasker <ben () bentasker co uk>
Date: Mon, 21 Nov 2016 19:40:12 +0000
Hi Michael, On 21 Nov 2016 18:45, "Michael Babker" <michael.babker () gmail com> wrote:
While I can somewhat understand why the Linux distributions choose the model they use for their "long term support" packages, it honestly does a disservice to those of us who now have to defensively code around it. We can no longer rely on a package's version to accurately represent the
state
of the code base.
I agree, and truth be told I think there's some ground to be given on either side. There are good reasons for using stable distros, but as you say it makes it very hard to build something when you can't rely on version numbers to identify patch levels.
I was Joomla's release lead at the time this decision was made. We did
not
arbitrarily choose a PHP version number, arbitrarily locking out vendor modified PHP builds distributed with the LTS distros, just because we wanted to.
Sorry, didn't mean to make it sound like it was arbitrary. I know the reasoning was based on available functionality vs required fuctionality.
While I understand where you are coming from, to be quite frank, I don't believe the PHP ecosystem and its major players can continue to cater to these modified PHP builds as might have been expected in years past.
The problem is that these builds still constitute the majority of your target market. It'll start to improve for a while due to Jessie and CentOS7 having a higher version, but as those approach EOL the same issue will probably come up again. The average user who just buys hosting doesn't have an awful lot of control over what the hosts run either (though things do actually seem to be improving in this regard) I don't have a good answer as to what the solution is. There're very good reasons for the LTS approach, but you're right about it being a untenable position. I am inclined to think it should be down to the distros to find a resolution for, whether through exposing a reliable means to check functionality level or some other means
Current thread:
- WordPress (all versions): SPOF, RCE, and Negligence Scott Arciszewski (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Ben Tasker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Michael Babker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Scott Arciszewski (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Solar Designer (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Ben Tasker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Michael Babker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Ben Tasker (Nov 21)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Hanno Böck (Nov 22)
- Re: WordPress (all versions): SPOF, RCE, and Negligence Scott Arciszewski (Nov 22)