Hi Yasuo, On Mon, Aug 5, 2013 at 11:38 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> On Mon, Aug 5, 2013 at 7:26 PM, Arpad Ray <array...@gmail.com> wrote: > >> Could you point me to where this was decided please? I don't see a vote >> or anything like a consensus in the previous threads. > > > There isn't vote for this RFC since this is security. > It's also a consensus. > While this is a security concern, it's not a straightforward bug fix. When there's contention in how to fix it, I think there really should be a vote. I've read the other threads and I don't think has been any clear consensus about this issue and I, for one, am not happy to have what I feel is an inferior solution committed while it's still being discussed. To reiterate: this ini setting will quietly fail when using a handler which hasn't been patched, like memcached, or a custom handler. That's arguably worse than not having the setting at all since it could give people a false sense of security. Arpad
