On 11/9/2017 7:36 AM, Sara Golemon wrote:
The sixth (and likely final) release candidate for 7.2.0 was just
released and can be
downloaded from:
https://downloads.php.net/~pollita/
Or using the git tag: php-7.2.0RC6
Barring unforeseen calamity, everyone should expect 7.2.0-final on
Thursday, November 30th.
Issue #73535? I consider letting a known security vulnerability that
goes largely unaddressed but persists into the next major version of a
software product to be quantifiable as a calamity of sorts. It's fast
approaching a full year without any resolution in sight. Many people
would have zero day-ed the issue by this point at whatever conferences
have come and gone (Black Hat, DEF CON, etc.) to grab some quick
notoriety. I don't believe that zero day-ing a vulnerability on a stage
is the right solution for a garden variety of reasons.
Regardless, we can all agree that the ball was seriously dropped here
and that there's certainly room for improvement in the release process.
Ideally, someone should be specifically assigned to interact with the
global team pre-RC1 of any major release where their sole responsibility
is to walk through the bugs queue in order to identify and properly
triage vulnerabilities in the software that might require a BC-break so
that by the time -final happens, the relevant patches are fully tested
and ready to go out with the release. I'd wager that #73535 isn't the
only reported unpatched vulnerability in the issue tracker.
I still think that there's time to apply a reasonable-ish patch to make
it into 7.2 and maybe prepare a similar patch for 7.1 and 5.6. What
those patches should be, I don't know. My original suggestion was shot
down since I missed/overlooked something. The only options I can think
of are a slightly hacky solution or a cleaner solution that requires a
BC-break.
--
Thomas Hruska
CubicleSoft President
I've got great, time saving software that you will find useful.
http://cubiclesoft.com/
And once you find my software useful:
http://cubiclesoft.com/donate/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php