First of all PHP group is doing nothing. Neither do they improve PHP's security nor do they stop well known PHP license abusers (because they are friends).
OK, that's just not true and it is obvious to anybody with access to the commit logs (namely, everybody) - bugs are getting fixed and improvements are getting done. You may argue they are not enough, but you certainly can not claim that nothing at all is done. As for the alleged license abuse, I am aware of your sensitivity in this regard, however this has nothing to do with the subject of security, so it would be very good if we stick to the subject.
And do I need to remind you about a certain bug in the new super duper Zend Memory manager that results in a far too small buffer being allocated?
Actually yes, you do - I don't remember any unfixed bugs in Zend MM, so if you know of an unfixed vulnerability there please do remind about it - preferably through the security list, of course, so all the usual people see it.
against PHP. And god knows how many other places are vulnerable because of the new "improved" Zend Memory Manager.
If you have ideas on how to make it work better, you are more than welcome to discuss it. By "discuss" I mean the thing regular people mean - exchange ideas, evaluate their merits and hopefully reach decision that is best for all, not that one participant calls others liars, morons and useless marketing droids, dismisses everything they say as propaganda and refuses to contribute anything. Any discussion in the former sense is more than welcome, if you want to help - you can write your proposals to me, for example. Last time I asked about this I got response in lines of "why should I help?". However, the door is still very much open.
And what about the heap underflow bug in ext/filter... Also not a remote exploit?
Again, I was under impression the underflow bug was fixed. If you know about another, unfixed one - please... you know.
The fact that you do not know about any remote exploit against PHP is quite irrelevant for reality.
I can't avoid noticing that you forgot to answer my question. To remind, my question was not "is my knowledge seems adequate to you". My question was "what did you mean by recognizing the reality by the PHP group and what do you propose to do". Could you please try again?
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
