from:"Peter Lind"

Re: [PHP-DEV] On not rushing things at the last minute

2018-07-10 Thread Peter Lind

On 10 July 2018 at 15:26, Dustin Wheeler  wrote:

*snip*


> Personally (for Class Friendship), I opted to target either 7.4 or 8.0
> (whichever was decided to be next-in-line)
>

Seems to me this is one of the issues - that this is something that isn't
just set in stone. If there was an overall roadmap of major and minor
versions, along with set dates and deadlines that could not be moved, this
wouldn't be an issue.


>
> At the same time, I would hate to see a TON of additional process /
> voting constraints come as a response to this issue.
>
> That said, if feature freeze for a release is announced well in
> advance, published, and there was an agreed "best intentions" policy
> to not submit RFCs that encroach on that date, then I think all would
> be well. I don't think there's any intent to slide features in under
> the finish line. It just seems like a lot of ideas finished baking at
> a weird time. That, or subconsciously, the talk of a new version of
> PHP sparked folks to get off their ass and put forth their ideas! :P
>
>
>
I think a hard deadline would be a better solution. Past that date, it
simply doesn't matter what the RFC is about, it'll make the next version at
the earliest, not the current one. Movable feature freeze and release dates
do not benefit the language or its users, nor most of the core developers,
I'd say.

Just my take on it.

-- 
CV: https://stackoverflow.com/cv/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Mailing list moderation

2018-01-03 Thread Peter Lind

On 3 Jan 2018 18:13, "Chase Peeler"  wrote:

On Wed, Jan 3, 2018 at 11:16 AM Andrey Andreev  wrote:

> Hi,
>
> On Wed, Jan 3, 2018 at 6:05 PM, Chase Peeler 
> wrote:
> >
> > I agree with Paul. It would be different if email clients that allowed
> > filtering were expensive or hard to find. They aren’t, though. Pretty
> much
> > every email client not only allows filtering, but rather advanced
> filtering
> > as well.
> >
> > Instead of suspending users, no matter how egregious their offenses may
> be,
> > let individual users filter them out as they see fit.
> >
>
> You have a point, but also have it in mind that we're talking about
> individuals participating in a discussion thread, and that's not the
> same as filtering out spam email or a news category that you're not
> interested in.
>
> Cheers,
> Andrey.
>

Are you saying you can't configure your client to delete/move to another
folder any emails with a subject beginning with [PHP-DEV] that are sent
from tonymars...@hotmail.com or li...@rhsoft.net?
--
-- Chase
chasepee...@gmail.com


Missing the point and going for personal attacks instead. You make the
point of the OP rather than your own.

Re: [PHP-DEV] Re: PHP's mail servers suck

2017-11-07 Thread Peter Lind

On 7 Nov 2017 16:40, "Eli White" <e...@eliw.com> wrote:

On Tue, Nov 7, 2017 at 9:07 AM, Peter Lind <peter.e.l...@gmail.com> wrote:

> Might be worth noting that fixing the mailing lists does not amount to
> taking on the php.net mail servers. The two are separate - just in case
> someone should be up for one, but not both tasks.
>

In this case I believe that they are one and the same Peter.   As the
issues with the mailing list(s), are actually issues with the mail server
itself.

You might be right, but as far as I can tell, the lists server handles
receiving and sending for lists.php.net without the use of PHP.net. The
only issue outside of lists.php.net would be DNS, but that's handled
externally - the rest is handled on the lists server, by some derelict
mailing list software. That's also what previous discussions on the topic
bring up.

Re: [PHP-DEV] Re: PHP's mail servers suck

2017-11-07 Thread Peter Lind

Might be worth noting that fixing the mailing lists does not amount to
taking on the php.net mail servers. The two are separate - just in case
someone should be up for one, but not both tasks.

On 7 November 2017 at 14:48, Eli White  wrote:

> Just chiming in that I have constantly had issues (since you asked for
> hands), get emails denied (let's see if this one goes through), and
> semi-constant threads of being auto-removed because of bounces that have
> nothing to do with me (see above gmail discussion).
>
> Yeah, it sucks.  And it's been brought up in the past.  And invariably it
> all falls back to "Oh, only one person really knew how to maintain that
> random mail server and they aren't active anymore, and now no-one really
> does, so it just keeps running and no-one wants to take the effort to try
> to update/fix/move it"
>
> Eli
>
> PS. Not it
>
>
> On Tue, Nov 7, 2017 at 8:38 AM, Sara Golemon  wrote:
>
> > Biweekly reminder that PHP mail servers suck.
> >
> > On Wed, Oct 25, 2017 at 10:30 AM, Sara Golemon  wrote:
> > > Quick show of hands: Who's had a "looks like spam" bounce from php.net
> > > mail servers in the past... lets say the past month.
> > > Or how about the fact that new users tend to have a very hard time
> > > even subscribing to this list?
> > > This isn't directed at any one person because AFAICT, the maintainer
> > > of those systems is "nobody".
> > > Is it time to pick someone to actually maintain that pile of mierde?
> > > Maybe replace the pieces that haven't worked since the 90s?
> > >
> > > Fed up with something this basic not working,
> > > -Sara
> >
> > --
> > PHP Internals - PHP Runtime Development Mailing List
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>



-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Simple variable handling.

2016-08-12 Thread Peter Lind

On 12 August 2016 at 13:15, Lester Caine <les...@lsces.co.uk> wrote:

> On 12/08/16 12:09, Peter Lind wrote:
> > And if all typos were switching 'e' and 'n', what a wonderful world it
> > would be. That is not the case though - it's possible to accidentally
> enter
> > " and > too.
> And the browser validation strips them and handles the ' when used in
> text fields.
>
>
No, it doesn't. It likely handles it on *most* browsers, but that still
doesn't mean you're safe - you don't know when someone suddenly decides to
try a new browser that doesn't behave the way you think it will.


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Simple variable handling.

2016-08-12 Thread Peter Lind

On 12 August 2016 at 13:01, Lester Caine <les...@lsces.co.uk> wrote:

> On 12/08/16 11:01, Peter Lind wrote:
> > On 12 August 2016 at 11:54, Rowan Collins <rowan.coll...@gmail.com>
> wrote:
> >
> >> On 12/08/2016 10:21, Lester Caine wrote:
> >>
> >>> Many of my systems run on secure intra-nets and much of the 'safety
> >>> concerns' that have been brought up recently as 'essential' simply
> don't
> >>> apply.
> >>
> >> There's always rogue employees / students / visitors with temporary
> >> access... But yes, IF you trust your users 100% to be non-malicious,
> >> non-curious, and uninfected, THEN you can trust your user input. :)
> >>
> > You forgot non-clumsy. Typos also happen and can have problematic
> results.
> >
> > You cannot trust user input. End of discussion.
>
> That someone puts in Joens rather than Jones is a fact of life, and will
> result in records that can't be matched. But a UK formatted date
> validated in the browser makes checking it's in a valid range easier in
> the PHP end. It's simply a matter of just what you can test and where,
> and if needs be the system keeps track of who is making mistakes in data
> entry and their supervisor deals with them. THAT is a report my CMS
> systems have had from day one :)


And if all typos were switching 'e' and 'n', what a wonderful world it
would be. That is not the case though - it's possible to accidentally enter
" and > too.



> But if they have stolen someone else’s
> access card then all bets are off. But there is no 'delete' function on
> the data so all changes are recorded.
>
>
 No, all bets are not off. That's the whole point of defense in depth.


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Simple variable handling.

2016-08-12 Thread Peter Lind

On 12 August 2016 at 12:52, Lester Caine <les...@lsces.co.uk> wrote:

> On 12/08/16 11:23, Peter Lind wrote:
> > On 12 August 2016 at 12:13, Lester Caine <les...@lsces.co.uk> wrote:
> >
> >> On 12/08/16 10:42, Peter Lind wrote:
> >>> On 12 August 2016 at 11:25, Lester Caine <les...@lsces.co.uk> wrote:
> >>>
> >>> Thanks for the ideas on this feature.
> >>>
> >>> A few thoughts.
> >>> 1. The RFC for this isn't a change - it's an addition. If it gets
> >> accepted
> >>> and implemented, you still would not have to change your code if you
> >> didn't
> >>> want to.
> >> I think that is the whole point ...
> >>
> > You're making different points, so maybe you should then be clearer.
>
> If you don't set a constraint or other 'intelligent' action then nothing
> changes?
>
>
This is missing the point entirely. The RFC was for a new feature, that you
don't have to use. Not for changing existing ones.



> >>> 2. There are differing ways of using the language. Yours is not better
> -
> >>> merely different. So I would think a relevant question is: can the RFC
> in
> >>> point support your style of coding along with that of others. A
> critical
> >>> point is throwing exceptions on invalid data, which might be hard to
> >> handle.
> >> Exceptions get generated hen something unhandled happens. Simple example
> >> 'divide by zero' only happens if the divisor is zero. If the variable
> >> used has a constraint of 'not zero' and has been validated then the
> >> exception will not be raised. My style would validate the divisor and
> >> only call the divide if it was going to work, others would allow the
> >> divide to fail and MAY actually handle the exception ;)
> >>
> > That doesn't address the point: if the feature should throw exceptions or
> > not, or allow for both styles.
>
> We already have a 'strict' mode which enables exceptions on some actions
> or leaves them as errors. I'm simply happy for both to co exist to keep
> others happy.
>
>
Good point.



> >>> 4. I think your suggestions might conflate validation and sanitation -
> >>> these are not the same and cannot be handled as one
> >> That people try to inject malicious input via variables is a different
> >> problem. Firebird database has always preferred parameter data so SQL
> >> injections just don't work, but other stuff does need clearing when
> >> input rather than simply relying on escaping unprocessed output. Again
> >> it's programming sytle?
> >>
> > No, it's not programming style. Conflating validation and
> > sanitation/escaping is wrong, because the contexts are different.
>
> The programming style 'point' is that many sites do simply slap
> htmlspecialchars() around all output and not worry that internally
> suspect data is floating around. On a couple of projects I've been using
> this was the sticking plaster while I prefer to ensure that the
> variables being passed were clean in the first place. In some situations
> sanitising the input may not be practical because of the workflow used
> but THAT is a matter of programming style?
>
>
But other programmers entirely foregoing validation is besides the point.
The point was that conflating validation with escaping/sanitizing is wrong
- and that still applies, even if your chosen method of validation is "I
don't".


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Simple variable handling.

2016-08-12 Thread Peter Lind

On 12 August 2016 at 12:13, Lester Caine <les...@lsces.co.uk> wrote:

> On 12/08/16 10:42, Peter Lind wrote:
> > On 12 August 2016 at 11:25, Lester Caine <les...@lsces.co.uk> wrote:
> >
> > Thanks for the ideas on this feature.
> >
> > A few thoughts.
> > 1. The RFC for this isn't a change - it's an addition. If it gets
> accepted
> > and implemented, you still would not have to change your code if you
> didn't
> > want to.
> I think that is the whole point ...
>
>
You're making different points, so maybe you should then be clearer.



> > 2. There are differing ways of using the language. Yours is not better -
> > merely different. So I would think a relevant question is: can the RFC in
> > point support your style of coding along with that of others. A critical
> > point is throwing exceptions on invalid data, which might be hard to
> handle.
> Exceptions get generated hen something unhandled happens. Simple example
> 'divide by zero' only happens if the divisor is zero. If the variable
> used has a constraint of 'not zero' and has been validated then the
> exception will not be raised. My style would validate the divisor and
> only call the divide if it was going to work, others would allow the
> divide to fail and MAY actually handle the exception ;)
>
>
That doesn't address the point: if the feature should throw exceptions or
not, or allow for both styles.



> > 4. I think your suggestions might conflate validation and sanitation -
> > these are not the same and cannot be handled as one
> That people try to inject malicious input via variables is a different
> problem. Firebird database has always preferred parameter data so SQL
> injections just don't work, but other stuff does need clearing when
> input rather than simply relying on escaping unprocessed output. Again
> it's programming sytle?
>
>
No, it's not programming style. Conflating validation and
sanitation/escaping is wrong, because the contexts are different.



> > That said, I generally think that built-in methods that accept Callables
> > are a great way to go. It encourages reuse through modular composition -
> > and could likely be a neater way around the throw exception/return error
> > code issue. It's obviously doable from userland, but could probably be
> > improved if implemented in the language.
>
> It was the fact that Yasuo was adding these rules into his array
> validation stuff that just grates so badly with what is actually needed ...
>
>
>
Yasuo was presumably scratching an itch that he (and possibly others) feel.
As such, it is in fact "what is actually needed". It just doesn't happen to
be what *you* actually need, but that doesn't mean it won't fit perfectly
for many others.

Regards
Peter


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Simple variable handling.

2016-08-12 Thread Peter Lind

On 12 August 2016 at 11:54, Rowan Collins  wrote:

> On 12/08/2016 10:21, Lester Caine wrote:
>
>> Many of my systems run on secure intra-nets and much of the 'safety
>> concerns' that have been brought up recently as 'essential' simply don't
>> apply.
>>
>
> There's always rogue employees / students / visitors with temporary
> access... But yes, IF you trust your users 100% to be non-malicious,
> non-curious, and uninfected, THEN you can trust your user input. :)
>
>
You forgot non-clumsy. Typos also happen and can have problematic results.

You cannot trust user input. End of discussion.


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Simple variable handling.

2016-08-12 Thread Peter Lind

On 12 August 2016 at 11:25, Lester Caine  wrote:

> On 12/08/16 10:07, Christoph M. Becker wrote:
> >> > I'm thinking
> >> > $var->setConstraint()
> >> > $var->setEscape()
> >> > $var->setReadOnly()
> >> >
> >> > Rather than having to build 'reflections' classes to pull out data
> that
> >> > a simple $var->is_valid or echo $var will output a correctly escaped
> >> > piece of text.
> > Actually, this is already possible; just use objects.  E.g.
> >
> >   class Container {
> > function __construct() {}
> > function setConstraint() {}
> > function setEscape() {}
> > function setReadOnly() {}
> > function isValid() {}
> > function __toString() {}
> >   }
> >   $var = new Container($some_value);
>
> This has been the problem all along. There is no overriding reason to
> change what we already have, but ALL of the improvements currently being
> discussed MAY be better handled with a return to the basic model of a
> variable. If a variable is 'readonly' there is no need to worry about
> each variable.
>
>
Thanks for the ideas on this feature.

A few thoughts.
1. The RFC for this isn't a change - it's an addition. If it gets accepted
and implemented, you still would not have to change your code if you didn't
want to.
2. There are differing ways of using the language. Yours is not better -
merely different. So I would think a relevant question is: can the RFC in
point support your style of coding along with that of others. A critical
point is throwing exceptions on invalid data, which might be hard to handle.
3. Your assumption of secure intra-nets is questionable. Defense in depth
is what one should strive for.
4. I think your suggestions might conflate validation and sanitation -
these are not the same and cannot be handled as one

That said, I generally think that built-in methods that accept Callables
are a great way to go. It encourages reuse through modular composition -
and could likely be a neater way around the throw exception/return error
code issue. It's obviously doable from userland, but could probably be
improved if implemented in the language.

Regards
Peter

-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Function auto-loading

2016-08-10 Thread Peter Lind

On 10 Aug 2016 19:05, "Bishop Bettini" <bis...@php.net> wrote:
>
> On Wed, Aug 10, 2016 at 5:37 AM, Peter Lind <peter.e.l...@gmail.com>
wrote:
>>
>> On 10 August 2016 at 10:51, Lester Caine <les...@lsces.co.uk> wrote:
>>
>> > On 09/08/16 06:54, Sara Golemon wrote:
>> > > On Mon, Aug 8, 2016 at 9:59 PM, Lester Caine <les...@lsces.co.uk>
wrote:
>> > >> So Composer IS now the rule rather than some optional extra?
>> > >>
>> > > Yes, the community has decided that for us.  Or at least, Composer is
>> > > a *significant* player in the ecosystem of PHP development.
>> > > require_once() might be fine for NiH applications, but for the
>> > > collaborative world of modern PHP, it's the defacto standard.
>> >
>> > Much as PSR also does.
>> > This is probably fine if one is starting a project from scratch, but
>> > with now 15+ years worth of code that does not follow this 'modern
>> > style' it's another barrier to moving code forward. There is nothing
>> > wrong with the code other than newer users done approve of the style of
>> > working :(
>> >
>> >
>> EVERYTHING is a barrier to moving your code forward. You tell the mailing
>> this on a regular basis.
>> Perhaps you should just migrate your 15+ year old code already and be
done
>> with it?
>>
>> Either that or fork PHP and never upgrade again. If you're this unhappy
>> with any/all changes to PHP, that seems a viable option.
>
>
> Please, let's keep the list clean of ad hominem reactions. Lester has a
valid opinion, based on what seems to be a successful legacy of working
code. That kind of code is essential PHP, and I, for one, value his
perspective and welcome his feedback. If we break his code, or establish
barriers to his code modernization efforts, we're probably doing the same
to a whole class of users whom we might not hear from otherwise.

That was not an ad hominem attack. It was a description of the emails
Lester send to the list.

"Update your code or fork PHP" is not a particularly constructive comment.
Neither, of course, is "don't make changes to my programming language of
choice". Especially given that the feature discussed here would not
actually directly influence Lester - he does not have to use it. In
essence, Lester was arguing against this feature because others in the
community would use it, and that would be a problem for him.

>From what i can tell, Lester has an infrastructure problem. Not a PHP
problem. But he still wants to halt language development so the community
doesn't pick up new features that might make problems in his code. That
does not seem reasonable to me.

Re: [PHP-DEV] Function auto-loading

2016-08-10 Thread Peter Lind

On 10 August 2016 at 10:51, Lester Caine  wrote:

> On 09/08/16 06:54, Sara Golemon wrote:
> > On Mon, Aug 8, 2016 at 9:59 PM, Lester Caine  wrote:
> >> So Composer IS now the rule rather than some optional extra?
> >>
> > Yes, the community has decided that for us.  Or at least, Composer is
> > a *significant* player in the ecosystem of PHP development.
> > require_once() might be fine for NiH applications, but for the
> > collaborative world of modern PHP, it's the defacto standard.
>
> Much as PSR also does.
> This is probably fine if one is starting a project from scratch, but
> with now 15+ years worth of code that does not follow this 'modern
> style' it's another barrier to moving code forward. There is nothing
> wrong with the code other than newer users done approve of the style of
> working :(
>
>
EVERYTHING is a barrier to moving your code forward. You tell the mailing
this on a regular basis.
Perhaps you should just migrate your 15+ year old code already and be done
with it?

Either that or fork PHP and never upgrade again. If you're this unhappy
with any/all changes to PHP, that seems a viable option.

Regards
Peter


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] New RFC

2016-08-02 Thread Peter Lind

On 2 August 2016 at 09:11, Dan Ackroyd  wrote:

> Hi Tomáš,
>
> It has been thought about, and several people are looking at an
> implementation of generics: https://wiki.php.net/rfc/generics However,
> it seems quite hard to implement.
>
> I am beginning to wonder if rather than aiming for full support of
> generics listed in that RFC, instead we just aimed for arrays that can
> only contain one type of variable as a good first step.
>
> cheers
> Dan
>
>
It's probably worth noting that creating "arrays" that can only contain one
type of variable is already possible by implementing ArrayAccess, Iterator
and Countable.

It won't work exactly like arrays and probably never will (see
https://www.mail-archive.com/internals%40lists.php.net/msg59199.html) but
might be worth as a starting point.

Regards
Peter


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] Pipe Operator

2016-05-09 Thread Peter Lind

On 9 May 2016 at 08:45, Stanislav Malyshev  wrote:

> Hi!
>
> > I have the feeling that if everyone involved *explicitly* prefixed their
> > opinions with "I think that", this would be a better and more fruitful
>
> Is there any other option?
>

As in "better options"? I don't think so. As in "could my statement be
taken any other way"? Clearly, as the way you put it forward you were
claiming not that you though things unobvious, but that they were
unobvious. You are trying to make the exact same argument, in different
words, in your argument below.

>
> > discussion. *You* think the syntax completely unobvious - that doesn't
> > make it so. Clearly others find it much easier to read.
>
> If you think it's obvious - it also doesn't make it so, then.

That is a logical conclusion, yes. I didn't state my opinion on the pipe
operator, though.

> It appears
> we have no way to determine if it's obvious or not. But I'd like to
> venture a proposal - find somebody who is not familiar with this
> proposal and maybe even with PHP and ask them - what do you think * or +
> or -> may mean in PHP? If they are familiar with any other languages
> like PHP, they would venture a guess with would be pretty close to the
> truth. Now ask them what |> and $$ may mean. Are you ready to tell me
> their answers would be as accurate and close to the truth as before?
>

Are you willing to argue that PHP should never implement features not found
commonly in other languages? Because that's where you're going with that
argument.

Regards
Peter

-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] Pipe Operator

2016-05-09 Thread Peter Lind

On 9 May 2016 at 07:37, Stanislav Malyshev  wrote:

> Hi!
>
> > "|>" is just a building block for simpler coding. It could be used
> badly, but
> > it helps a lot. Procedural code could be much simpler and readable with
> "|>".
>
> I don't see how it helps anything. It just replaces clear variable names
> with cryptic sequences of characters with no intuitive meaning and magic
> semantics invented solely to save a few keystrokes. Moreover, it would
> only in one sole use case where functions always return a value that is
> immediately passed to the next one and is sole argument for it, and
> never produce errors or require any logic beyond calling them in a
> sequence on one value.
>
>
That seems to be a misrepresentation of the proposal - the $$ is needed
*because* there might be other parameters. As for sole use case - there are
many pieces of code that manipulate the return values of functions, step by
step.



> > "|>" version is much easier to read and write.
>
> Quite the opposite. It has completely unobvious syntax (what is $$? What
> is the value of $$? how I see this value if I need to debug this code?)
> and does not allow to do anything but making code more cryptic.
>

I have the feeling that if everyone involved *explicitly* prefixed their
opinions with "I think that", this would be a better and more fruitful
discussion. *You* think the syntax completely unobvious - that doesn't make
it so. Clearly others find it much easier to read.

Regards
Peter



-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] Pipe Operator

2016-04-30 Thread Peter Lind

On 30 Apr 2016 16:43, "Lester Caine"  wrote:
>
> On 30/04/16 14:57, Marco Pivetta wrote:
> > Relevant: https://youtu.be/UvD1VjRvGIk
>
> Trimming the now useless error code 
>
> As I said in the message ... no problem if you simply have a SINGLE
> pathway through the code. That video simply assumes that anything that
> is not success is an error. MUCH of my code base has turntables or three
> way switches which in addition to possible errors, you have a lot more
> than one 'success' output.
>
> The pipe operator does not provide a work flow as demonstrated in that
> video ...

So in essence, any feature that doesn't fit your codebase is wrong. About
tight?

> --
> Lester Caine - G8HFL
> -
> Contact - http://lsces.co.uk/wiki/?page=contact
> L.S.Caine Electronic Services - http://lsces.co.uk
> EnquirySolve - http://enquirysolve.com/
> Model Engineers Digital Workshop - http://medw.co.uk
> Rainbow Digital Media - http://rainbowdigitalmedia.co.uk
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Re: [PHP-DEV] Re: Improving PHP's type system

2016-04-14 Thread Peter Lind

On 14 April 2016 at 01:43, Zeev Suraski  wrote:

>
> > On 14 באפר׳ 2016, at 7:14, Larry Garfield 
> wrote:
> >
> >> On 4/13/16 3:24 PM, Stanislav Malyshev wrote:
> >> Hi!
> >>
> >>> May I suggest you the following article (more of a starting point into
> >>> Ceylon actually) regarding this topic:
> >> There was a time where PHP was considered a good beginner's language.
> >> Now it seems we want to pivot and target category theory PhDs instead?
> :)
> >
> > A language that is usable primarily by beginners will only be useful for
> beginners.  Non-beginners will shun it, or simply grow out of it and leave.
> >
> > A language that is usable only by PhDs will be useful only for PhDs.
> Beginners won't be able to comprehend it.
> >
> > A language that is usable by both beginners and PhDs, and can scale a
> user from beginner to PhD within the same language, will be used by both.
> >
> > Doing that is really hard. And really awesome. And the direction PHP has
> been trending in recent years is in that direction.  Which is pretty danged
> awesome. :-)
>
> I would argue that PHP was already doing that almost since inception.  I
> think we have ample evidence that we've been seeing a lot of different
> types of usage - both beginners' and ultra advanced going on in PHP for
> decades.
> I would also argue that in recent years, the trending direction has been
> focusing on the "PhDs", while neglecting the simplicity seekers (which I
> wouldn't necessarily call beginners).  Making PHP more and more about being
> like yet-another-language, as opposed to one that tries to come up with
> creative, simplified ways of solving problems.
> Last, I'd argue that a language that tries to be everything for everybody
> ends up being the "everything's and the kitchen sink", rather than
> somethings that is truly suitable for everyone.
>
> We also seemed to have dumped some of our fundamental working assumptions
> - that have made PHP extremely successful to begin with:
>
> - Emphasis on simplicity
> - Adding optional features makes the language more complex regardless of
> whether everyone uses them or not
>
>
Really? The recent number of RFCs focusing on making some of PHPs
annoyances go away have passed you by? They seem to fall squarely within
"emphasis on simplicity" as far as I can tell.

Also, PHP is known as the language with a million ways to do things, where
some functions even have aliases because reasons. It's been that way since
a very long time. That suggests to me that complexity/optional features are
not frowned upon - only some types of complexity are seen as bad, and only
some types of simplicity are apparent worthwhile. Spelling out personal
preferences here would probably help solve these discussions faster.



> It does seem as if we're trying to replicate other languages, relentlessly
> trying to "fix" PHP, which has been and still is one of the most successful
> languages out there - typically a lot more so than the languages we're
> trying to replicate.
>
>
Regards
Peter


-- 
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Handling of withdrawn RFCs

2016-01-21 Thread Peter Lind

On 21 January 2016 at 21:53, Ronald Chmara  wrote:

> On Thu, Jan 21, 2016 at 12:33 PM, Flyingmana 
> wrote:
> > An RFC could still be valuable for the project, even if the original
> > author leaved, so taking it over should be possible. And it should not
> > be painful in any way.
> > Would we need some rules in case multiple people want to take it over,
> > or should we say the first one wins?
> > Is there any way to abuse the taking over of an withdrawn RFC?
>
> Hypothetically:
>
> An RFC being used primarily for ongoing debate/argument/trolling
> purposes could live indefinitely, generating hundreds, or thousands,
> of messages, and changesets/PR's, and list churn, in the name of
> "making sure an issue is adequately discussed and resolved".
>
> Even as individual trolls, marks, and sockpuppets were knocked down,
> new ones could pick up the mantle of "but we're discussing important
> things, here!", and continue the loop, only finally exhausting the
> suite of RFC mechanisms all of the trolls/marks/puppets finally gave
> up, or were someho0w being administratively prohibited from all future
> participation.
>
> Which, if the PHP email lists were an endless trolling/argument/debate
> forum like twitter or reddit, would be completely appropriate.
>
> This is all hypothetical, of course.
>
>
This thread being about withdrawn/re-proposed RFCs, how is that comment
relevant? Seeing as anyone wanting to debate/argument/troll indefinitely
can do so using their own RFC - or, for that matter, without an RFC.

Regards
Peter


-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Handling of withdrawn RFCs

2016-01-21 Thread Peter Lind

On 21 January 2016 at 22:24, Ronald Chmara <rona...@gmail.com> wrote:

> On Thu, Jan 21, 2016 at 12:59 PM, Peter Lind <peter.e.l...@gmail.com>
> wrote:
> > On 21 January 2016 at 21:53, Ronald Chmara <rona...@gmail.com> wrote:
> >> On Thu, Jan 21, 2016 at 12:33 PM, Flyingmana <flyingm...@googlemail.com
> >
> >> wrote:
> >> > Is there any way to abuse the taking over of an withdrawn RFC?
> Snip_>
> >> An RFC being used primarily for ongoing debate/argument/trolling
> >> purposes could live indefinitely, generating hundreds, or thousands,
> >> of messages, and changesets/PR's, and list churn, in the name of
> >> "making sure an issue is adequately discussed and resolved".
> >> Even as individual trolls, marks, and sockpuppets were knocked down,
> >> new ones could pick up the mantle of "but we're discussing important
> >> things, here!", and continue the loop...
> Snip_>
> > This thread being about withdrawn/re-proposed RFCs, how is that comment
> > relevant?
>
> The relevance is in ways to "abuse the taking over of an withdrawn RFC".
>
>
Ahhh good point, missed that.



> > Seeing as anyone wanting to debate/argument/troll indefinitely can
> > do so using their own RFC -
>
> Creating a new RFC has a higher barrier to entry, requiring additional
> effort.
>
>
If your aim is to clutter the mailing list indefinitely, that's really not
going to get in your way.



> > or, for that matter, without an RFC.
>
> I would suggest that random email trolling does not have the same
> audience, impact, or formal trappings of a public RFC process.
>
>
Random email trolling, no. But then again, random email trolling is not
really what we're talking about, is it?
Plus, it's a mailing list, not a forum. The default is that you follow
every thread, and have to actively mute them. Email trolling by splitting
off of threads would actually be more effective than keeping to one RFC
thread - not less effective.

Regards
Peter


-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] Back to the code (was Re: Internals and Newcomers and the Sidelines (WAS: Adopt Code of Conduct))

2016-01-13 Thread Peter Lind

On 13 January 2016 at 16:49, Adam Howard  wrote:

> Alright, you want a straight up answer, I'll provide you one.  Here is
> my constructive criticism.  I'd like to be able to opt-out of this
> conversation and not further have it flood my inbox and be able to actually
> get back to what matters and what I and most everyone else signed up for
> (PHP Development, Code).
>

1. You're top-posting
2. You're posting from a gmail address. Gmail has mute function. Use it

Regards


-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-07 Thread Peter Lind

On 7 Jan 2016 20:59, "Chase Peeler"  wrote:
>
> On Thu, Jan 7, 2016 at 2:51 PM, Pierre Joye  wrote:
>
> > On Jan 8, 2016 2:44 AM, "Paul M. Jones"  wrote:
> > >
> > >
> > > > On Jan 7, 2016, at 13:39, Pierre Joye  wrote:
> > > >
> > > >
> > > > On Jan 8, 2016 2:27 AM, "Paul M. Jones"  wrote:
> > > > >
> > > > >
> > > > > > On Jan 7, 2016, at 13:25, Pierre Joye 
> > wrote:
> > > > > >
> > > > > >
> > > > > > On Jan 8, 2016 2:21 AM, "Paul M. Jones" 
> > wrote:
> > > > > > >
> > > > > > >
> > > > > > > > On Jan 7, 2016, at 13:15, Pierre Joye 
> > wrote:
> > > > > > > >
> > > > > > > >
> > > > > > > >> On Jan 8, 2016 1:58 AM, "Paul M. Jones" <
pmjone...@gmail.com>
> > wrote:
> > > > > > > >>
> > > > > > > >> I notice you did not answer my question. I'll ask again:
when
> > you say "proven guilty" what exactly do you mean?
> > > > > > > >
> > > > > > > > I see you are going to nitpick here. So let clarify it.
> > > > > > >
> > > > > > > When we're talking about banning people as a result of their
> > actions, we'd better be clear on the details, don't you think?
> > > > > > >
> > > > > > >
> > > > > > > > If there is a clear set of evidences that someone harassed,
> > insulted, attacked another person then it fits this definition.
> > > > > > >
> > > > > > > What to you would be "a clear set of evidences"?  (If you have
> > examples of actual occurrences, that would be better than building
> > hypotheticals, and probably easier.)
> > > > > > >
> > > > > > >
> > > > > > > > Please keep in mind than harassment, attacks or insults have
> > nothing to do with opinions.
> > > > > > >
> > > > > > > Unfortunately, too many people confuse "argument" with
> > "harassment", and "disagreement" with "attacks", and "observations" as
> > "insults."  So I'd like to hear first what "clear evidence" means to
you.
> > > > > >
> > > > > > This is what I mean by nitpicking. I am sure you perfectly
> > understand my point as well as what I would consider as bad. Just in
case,
> > an opiniated hot discussion is not. I would appreciate a clear answer as
> > well from your side and little less nitpicking.
> > > > >
> > > > > To give clear answers, I need clear statements. For example, if a
> > person *claims* harassment, what to you would be *evidence* of that
> > harassment?  This is not nitpicking; this is defining the terms of the
> > conversation. If you are unable to clarify, that's cool, just say so.
> > > >
> > > > I think you are playing.
> > >
> > > I have never been more serious. This RFC, if passed, is going to have
> > wide-ranging consequences, and if the terms in it are so vague as to
give
> > open-ended powers to those charged with enforcing it, I think that's a
> > dangerous thing.
> > >
> > > So again: What to you would be "a clear set of evidences"?  (If you
have
> > examples of actual occurrences, that would be better than building
> > hypotheticals, and probably easier.)
> > >
> > > And again, if you are unable to clarify this, I'm OK with that. I get
> > that it's messy.
> >
> > It is not. To me to distinguish harassment vs hot discussions (public or
> > private) is part of common sense and I trust us to have this common
sense
> > when this group will be created.
> >
> > Also the very definition of harassment is pretty clear. Read
> > http://legal-dictionary.thefreedictionary.com/harassment for the
> > reference.
> > If it is not clear for you then yes, I cannot make it clearer. Sorry.
> >
> > I do not think we need to build up our own definition because some
thinks
> > we will abuse powers.
> >
>
> " the act of systematic and/or continued unwanted and annoying actions of
> one party or a group, including threats and demands."
>
> Nothing in the definition beyond that is exclusionary. It includes various
> examples, but does not limit it beyond that. To me, "unwanted or annoying
> actions" probably describes how a lot of people feel about Paul's comments
> (I'm not one of them). Does that make him guilty of harassment?
>

Paul has switched to constructively participating in the discussion. He is
also not singling out any group or person for unwanted or annoying actions.
So no, he is not guilty of harassment.

Was that answer you were looking for?

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-06 Thread Peter Lind

On 6 January 2016 at 21:43, François Laupretre  wrote:

> Le 06/01/2016 20:38, Ryan Pallas a écrit :
>
>>
>> I agree, a conflict resolution document *and team* seems infinitely
>> better.
>> This team's job is to resolve things quietly and without further incident,
>> however if action may be required - its an open vote (as previously
>> suggested).
>>
>
> Agreed. 'Don't be evil' is sufficient as a CoC. Anything we add to this
> will be redundant, ambiguous, and subject to interpretations.
>
>
If you had but an inkling of the irony in that sentence ...


-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-05 Thread Peter Lind

On 5 January 2016 at 16:59, Stanislav Malyshev  wrote:

> Hi!
>
> > How exactly would you feel about having all of this made explicit to all
> > the other PHP devs? Presumably you look up to some of these people -
>
> I presume you would feel bad. However your example is purely theoretical
> and hand-crafted to exactly fit your argument.


Yes, I thought it up, hence it's theoretical. If you think that means it
hasn't happened countless times along those lines, you need to learn how to
google.



> It is easy to imagine
> theoretical example that found fit practically any argument - including
> one that nobody should have any due process at all, since proving any
> allegations just hurts the victim again (and you can imagine
> unbelievably hurtful circumstances for your theoretical case, since the
> only limit is your imagination), so any allegation should be considered
> true by mere fact of alleging.


Is there any particular reason you feel the need for arguing strawmen? At
which point has *anyone* argued for against due process? If you cannot
point to any such point, would you mind not assuming them?



> I hope that would be going too far for you?
>

See above.


> In practice, there's rarely an allegation that can not be published to
> the measure that makes it clear what happened.


Unless you've been through abuse and harassment along the lines of
http://blog.randi.io/2015/12/31/the-developer-formerly-known-as-freebsdgirl/
I would suggest you stop assuming what it is like.



> That does not mean
> "verbatim" - in some cases, like publishing private information,
> reproducing it verbatim as a proof would be obviously counterproductive,
> but there are also obvious way to describe it without reproducing
> verbatim, such as "publishing private information".
>
>
See above.



> > If you happen to belong to a minority group that often is at the
> > receiving end of abuse, what would you think if this was the message
> > being sent? Would you expect to be understood by your peers, or would
>
> I think the message that is being sent is that everybody will be treated
> equally and fairly. If somebody has done something bad, it would be
> known and the solution would be found, if nothing bad happened, people
> can be reasonably assured that they are safe from false accusations.
> That applies to majorities, minorities, mediocrities and any other
> groups, however one would like to label oneself that particular day.
>

And you would be wrong - that is not the message being sent.

-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-05 Thread Peter Lind

>
> +1. The proposed CoC is too vague for a multi-cultural environment like
> ours. Reference to ethics, for example, is subjective by nature. But I'm OK
> for a more precise text that everybody must explicitely approve before
> getting any karma.
>
> But I am opposed to any form of law enforcement board. I understand it
> ensures privacy but my feeling is that we don't need privacy here, and we
> never needed such a mechanism during 20 years. Most questionable messages
> are published on the mailing list. If someone receives an offending private
> mail or is victim of harassment in any other way, he can just publish it on
> the list and everyone will judge if it is offending or not. Then, if we
> need to consider banning someone, anybody can create a specific RFC for
> this, but it is an extreme case that, fortunately, has a very low
> probability..
>

A quick question: suppose you're from a minority group, and you've been the
target of abuse previously your life. You now join the PHP community and
for whatever reason, someone takes a dislike to you and starts harassing
you in private. The abuse makes use of the same stuff you've been through
before, and because this is a real douchebag, some very humiliating things
are thrown in for good measure.

How exactly would you feel about having all of this made explicit to all
the other PHP devs? Presumably you look up to some of these people - would
your first thought be "Oh I know! I'll post all this nasty stuff to a
public mailing list, that is archived on the web where EVERYONE can see all
the humiliation coming my way - and where google is sure to pick up all
these things about me!"?

If you happen to belong to a minority group that often is at the receiving
end of abuse, what would you think if this was the message being sent?
Would you expect to be understood by your peers, or would their concern
about being possibly accused of something seem like an out-of-hand
rejection?

Regards
Peter

-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-05 Thread Peter Lind

On 5 January 2016 at 19:53, Stanislav Malyshev  wrote:

> Hi!
>
> > Yes, I thought it up, hence it's theoretical. If you think that means it
> > hasn't happened countless times along those lines, you need to learn how
> > to google.
>
> I hope you realize how weak is an argument along the lines of "I am
> right, if you don't see it, learn how to google".
>
>
I'm sorry. I, wrongly, assumed that it was common knowledge by now how
toxic the tech environment and culture can be, and how many people have
been abused and harassed, both online and offline.



> > Is there any particular reason you feel the need for arguing strawmen?
> > At which point has *anyone* argued for against due process? If you
> > cannot point to any such point, would you mind not assuming them?
> >
> >
> >
> > I hope that would be going too far for you?
> >
> >
> > See above.
>
> As you see, I have assumed exactly the opposite: that you are *not*
> against due process. That's what "going too far" means. You are merely
> using an argument that proves too much
> (https://en.wikipedia.org/wiki/Proving_too_much) - following that
> argument, we could conclude that due process is bad. Which is an absurd
> conclusion - that's how reductio ad absurdum works.
>
>
You argued against a strawman. I pointed that out. One of us was misreading
something, and seeing as you put the argument with no due process
whatsoever forward, I thought it was you. My mistake.



> > Unless you've been through abuse and harassment along the lines
> > of
> http://blog.randi.io/2015/12/31/the-developer-formerly-known-as-freebsdgirl/
> > I would suggest you stop assuming what it is like.
>
> I can not stop it since I never started. But what is like, however bad
> it is, is not an argument for what we are discussing, since we do not
> argue what happened there is good. We argue whether adopting the RFC is
> a good way to prevent something like that from happening or reduce its
> incidence. Saying "introducing safe mode is not a good way to improve
> security" is not the same as saying "we need no security" :)
>
>
It seems to me you did in fact assume that things could be handled
transparently on the mailing list - as that was the proposed solution you
put forward. I then pointed to a specific case that I doubt most people
would be happy about making public.

And yes, we're discussing how to best handle things. My specific point was
that requiring people to post to the mailing list if they have any
grievances is not a good idea. Doesnt mean that the watchmen shouldn't be
watched.

-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-05 Thread Peter Lind

On 5 January 2016 at 20:26, Stanislav Malyshev  wrote:

> Hi!
>
> > That is the problem: you cannot discuss how to protect the accused
> > without having the context of the abused. As you have yourself pointed
> > out with examples, it is a tradeoff.
>
> But that is exactly what I want - to have full(er) context! The secret
> procedure makes that harder. Of course, there are tradeoffs and some
> details must be withheld - but the first version of RFC (did not read
> the new one yet) was "maximum confidentiality", and that's not good IMO.
> I think the default should be "maximum disclosure, unless it's obviously
> damaging (personal data, etc.) or no-content (insults, slurs, etc.)".
> I.e. I recognize there's no absolute, I just want the balance be different.
>
>
That makes very good sense. I think the process could be optimized, but I
think aiming for maximum disclosure is as problematic as maximum
confidentiality - it ignores the perspective of one party.



> > That is a truism: doing more damage is not fixing anything. However,
> > unless I am mistaken, you yourself put forward the lack of explicit
> > problems as an argument in favour of not doing anything.
>
> Right. So that's one point of discussion - should we do anything at all
> or not. But if we *are* doing something - that's the second point of
> discussion - namely, institute new structure with broad powers in the
> community - we should do it in a way that is least likely to cause damage.
>
>
I wholeheartedly agree.


-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-05 Thread Peter Lind

On 5 January 2016 at 19:42, Stanislav Malyshev  wrote:

> Hi!
>
> > It's interesting to note how few people in this thread consider the
> > perspective of potential harassed or abused people - instead only
> > focusing on how to protect the accused.
>
> We do not discuss it much because it is a) covered in the RFC thus
> forming context of the discussion and b) most of it is non-controversial
> - we know hurting people is bad, we should not do it, and we should not
> accept such behavior in our community. It is *how* we achieve that which
> is the question for discussion.
>
>
That is the problem: you cannot discuss how to protect the accused without
having the context of the abused. As you have yourself pointed out with
examples, it is a tradeoff.



> > Quick check: how many times in the history of PHP has someone been
> > called out, wrongly, for being abusive or harassing others? If, as seems
>
> There was some amount of "meta" discussions, in which all kinds of
> complaints and counter-complaints were voiced, many times. But since we
> have no formal mechanism for "accusing" or for determining "wrong", we
> can't really know how many of such cases there were.
>
> > to the argument ("we're such a great and tolerant community, we don't
> > need this"), this hasn't happened - what's with the paranoia behind
> > assuming it will suddenly happen constantly and that people will be
> > banned left and right for no reason?
>
> Because unfortunately we have witnessed, in other communities, how
> applying such things too hastily and without due consideration can cause
> damage. While abuse is undeniably damaging, doing more damage, this time
> by ourselves, is not the right way to fix it.
>
>
That is a truism: doing more damage is not fixing anything. However, unless
I am mistaken, you yourself put forward the lack of explicit problems as an
argument in favour of not doing anything.

A middle way could be - like we're doing now - discuss options that amount
to more than doing nothing (status quo) and less than voting in the worst
possible option.



> > voting is allowed. Even in the most clearcut case where someone is being
> > a complete asshole, you're then either allowing them to continue the
> > harassment or ignoring your own point. It's hard to see how either
> > option benefits PHP, let alone the abused person.
>
> In most clearcut case where somebody is obviously misbehaving, we have
> plenty of people that can revert commits or remove people from ML. That
> happened in the past. We do not need a special troika for that.
>

 Ah, I mistook the idea of using the RFC to handle problems with conduct to
be a general way to deal with things.

-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Draft] Adopt Code of Conduct

2016-01-04 Thread Peter Lind

On 5 January 2016 at 05:49, Paul M. Jones  wrote:

>
> > On Jan 4, 2016, at 22:42, Sara Golemon  wrote:
> >
> > Formalized rules and due process are terrible for a free and open
> society?
>
> This proposal is neither formalized, nor due process.  You're great at C,
> Sara, but you're horrible at law.
>
> OMG WAS THAT OFFENSIVE?  BAN BAN BAN!
>
>

Troll much?


-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Discussion] Short Closures

2015-09-04 Thread Peter Lind

On 4 September 2015 at 09:43, Pavel Kouřil <pajou...@gmail.com> wrote:

> On Fri, Sep 4, 2015 at 8:57 AM, Peter Lind <peter.e.l...@gmail.com> wrote:
> > On 4 September 2015 at 08:44, Pavel Kouřil <pajou...@gmail.com> wrote:
> >
> > You're arguing that, subjectively, to you - parentheses make things
> harder
> > to read. For others they clarify things.
> > It should be obvious to everyone that this particular path of the
> discussion
> > has about as much merit as tabs vs spaces.
>
> Sure, it is subjective - but what isn't?
>
>
Consistency isn't.



> > That being the case, I would argue for consistency and simplicity. If you
> > need parentheses for other variants of this, require parentheses all the
> way
> > through. It will be simpler to learn and trip fewer people up.
>
> Depends how you define simplicity. Because $a ~> $b ~> $c ~> $d is
> IMHO more simple than ($a) ~> ((($b) ~> (($c) ~> $d($foo))) - which is
> a result of the combination of amendments #2 and #3. I honestly do not
> know if I wrote the parenthesis right now or not (probably not),
> because there's simply just too many of them.
>
> Sure, parenthesis can help people understand things, but I'd say that
> at the same time, too many of them can be a problem as well (as the
> fun name for LISP - "lost in stupid parenthesis" - suggests).
>
>
Is it? And are the examples you make use of the only two options?
What about requiring parentheses around arguments, but not around the
function body? That would guard against stupid "I'll add another argument
... why isn't it working?!?!?!" errors (getting a syntax error and then
having to fix your code isn't easier than just consistently adding
parentheses around arguments).


> > Just think, if whoever constructed the if conditional hadnt thought "hey,
> > let's be clever and save some keystrokes by making the curlies optional
> in
> > some cases" we wouldn't have the multitude of bugs and security holes we
> > know to exist, we wouldn't have to warn the young'uns against improper
> use
> > of if, we wouldn't have to write codesniffer rules against single line
> ifs,
> > etc, etc.
> >
> > Any argument to the effect of "let's be clever" or "it'll save some
> > keystrokes" is void. Period.
>
> This is not about saving characters, it's about not overcomplicating
> things.
>

You're aiming for the "let's be clever" camp, far as I can tell.




-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] [RFC] [Discussion] Short Closures

2015-09-04 Thread Peter Lind

On 4 September 2015 at 08:44, Pavel Kouřil  wrote:

*snip*

> But even just #3 seems kinda "harder" to read than the form without
> any parenthesis.
>
> function partial($cb) { return ($left) ~> ($right) ~> $cb($left, $right); }
>
> I know the parenthesis are optional in just one scenario, but I'd
> argue it's probably the most common one.
>

You're arguing that, subjectively, to you - parentheses make things harder
to read. For others they clarify things.
It should be obvious to everyone that this particular path of the
discussion has about as much merit as tabs vs spaces.

That being the case, I would argue for consistency and simplicity. If you
need parentheses for other variants of this, require parentheses all the
way through. It will be simpler to learn and trip fewer people up.

Just think, if whoever constructed the if conditional hadnt thought "hey,
let's be clever and save some keystrokes by making the curlies optional in
some cases" we wouldn't have the multitude of bugs and security holes we
know to exist, we wouldn't have to warn the young'uns against improper use
of if, we wouldn't have to write codesniffer rules against single line ifs,
etc, etc.

Any argument to the effect of "let's be clever" or "it'll save some
keystrokes" is void. Period.

Regards
Peter

-- 

WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15

Re: [PHP-DEV] PHP 7.1 Cryptography Projects

2015-08-04 Thread Peter Lind

On 4 August 2015 at 10:13, Lauri Kenttä lauri.ken...@gmail.com wrote:

 On 2015-08-03 23:54, Scott Arciszewski wrote:

 $AES = new \PCO\Symmetric('openssl:cipher=AES-128');


 It would be great if you could just ask for cipher=AES-128 without
 explicitly specifying the provider (openssl).


Even better would be splitting arguments up. There's not much point to
multi-valued arguments, they're just harder to parse/memorize.
If you need a common constructor, use a configuration object instead of a
made-up string format.

Apart from that, thumbs up on this!


-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] PHP 7.1 Cryptography Projects

2015-08-04 Thread Peter Lind

On 4 August 2015 at 13:56, Scott Arciszewski sc...@paragonie.com wrote:


 Hi Peter,

 It's not really a made-up string format, in the sense that it has a
 precedent (PDO).


True, and that format sucks royally. It trips people up.

Combining several arguments into one string is bad design. If it was good
design, you'd see userland code using it all over the place.



 Hopefully my response to Lauri makes this design decision seem more
 reasonable.


No, quite the opposite.

You're arguing that this:

new \Namespace\Class(:cipher=AES-256;mode=GCM);

is easier to work with than:

new \Namespace\Class(null, 'AES-256', 'GCM');

Or possibly

$config = new \Namespace\ConfigClass();
$config-setCipher('AES-256')
 -setMode('GCM');

$crypto = new \Namespace\Class($config);


Your parameter layout may be easier for you to deal with, but all the
people you're trying to help with this will be worse off for it.
PDOs constructor has only lead to more debugging, not better code (unlike
the rest of PDO).

Regards
Peter

Re: [PHP-DEV] DateInterval bug

2015-04-14 Thread Peter Lind

On 13 April 2015 at 22:20, Derick Rethans der...@php.net wrote:

 On Sun, 12 Apr 2015, Peter Lind wrote:

  Hi,
 
  I wanted to get into PHP code development so I grabbed a random bug from
  bugs.php.net. Which turned out to be
 https://bugs.php.net/bug.php?id=69378
 
  The problem the bug report describes is that creating a diff between two
  dates and then subtracting the diff from the later date does not give you
  the former date. Or, as the bug report state, this should hold:
 
  B - (B - A) == A
 
  But it doesn't, because of the way DateInterval and DateTime interact. A
  DateInterval is broken up into years, months, days, hours, minutes and
  seconds - which can be added or subtracted from a date. However, months
 are
  not fit size, so the order in which things are added or subtracted
 matters.
  In the bug report, the problem arises because months are subtracted
 before
  days - and there's a huge difference between subtracting 17 days from 2.
  April and from 2. March.
 
  In itself, this isn't a big problem - but apparently this behaviour is
 how
  the system is supposed to work. In the tests for the date extension, I
  found this test for DateTime::add
 
  echo test_years_positive__6_shy_1_day: ;
  examine_diff('2007-02-06', '2000-02-07', 'P+6Y11M30DT0H0M0S', 2556);
 
  echo test_years_negative__6_shy_1_day: ;
  examine_diff('2000-02-07', '2007-02-06', 'P-6Y11M28DT0H0M0S', 2556);
 
  The third argument in the examine_diff calls is used in the constructor
  call to DateInterval. The difference is whether the interval will be
  positive or negative. Note the difference of two days - if you add a
  positive interval, then 7 years minus 1 day is 6 years, 11 months and 30
  days. If you add a negative interval, then 7 years minus 1 day is 6
 years,
  11 months and 28 days.
 
  Is there a good explanation for this behaviour (which applies both to
  DateTime::add and DateTime::sub)? I've tried searching the internals list
  but couldn't see any discussion of it. It seems like a bug that never got
  fixed to the point where there are tests to make sure things are still
  calculated wrong.

 Why is it a bug? With DateTime math, reversing an operation isn't
 necessarily going to work...


Forgot to mention - this has nothing to do with reversing operations. As
you can see from the unit tests for the Date extension, figuring out what
the interval is between two dates depends on knowing which dates you're
dealing with and if your interval is positive or negative. The fact that
the bug shows up for the example in the bug report is just a symptom of the
underlying problem.

Regards
Peter


-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] DateInterval bug

2015-04-14 Thread Peter Lind

On 13 April 2015 at 22:20, Derick Rethans der...@php.net wrote:

 On Sun, 12 Apr 2015, Peter Lind wrote:

  Hi,
 
  I wanted to get into PHP code development so I grabbed a random bug from
  bugs.php.net. Which turned out to be
 https://bugs.php.net/bug.php?id=69378
 
  The problem the bug report describes is that creating a diff between two
  dates and then subtracting the diff from the later date does not give you
  the former date. Or, as the bug report state, this should hold:
 
  B - (B - A) == A
 
  But it doesn't, because of the way DateInterval and DateTime interact. A
  DateInterval is broken up into years, months, days, hours, minutes and
  seconds - which can be added or subtracted from a date. However, months
 are
  not fit size, so the order in which things are added or subtracted
 matters.
  In the bug report, the problem arises because months are subtracted
 before
  days - and there's a huge difference between subtracting 17 days from 2.
  April and from 2. March.
 
  In itself, this isn't a big problem - but apparently this behaviour is
 how
  the system is supposed to work. In the tests for the date extension, I
  found this test for DateTime::add
 
  echo test_years_positive__6_shy_1_day: ;
  examine_diff('2007-02-06', '2000-02-07', 'P+6Y11M30DT0H0M0S', 2556);
 
  echo test_years_negative__6_shy_1_day: ;
  examine_diff('2000-02-07', '2007-02-06', 'P-6Y11M28DT0H0M0S', 2556);
 
  The third argument in the examine_diff calls is used in the constructor
  call to DateInterval. The difference is whether the interval will be
  positive or negative. Note the difference of two days - if you add a
  positive interval, then 7 years minus 1 day is 6 years, 11 months and 30
  days. If you add a negative interval, then 7 years minus 1 day is 6
 years,
  11 months and 28 days.
 
  Is there a good explanation for this behaviour (which applies both to
  DateTime::add and DateTime::sub)? I've tried searching the internals list
  but couldn't see any discussion of it. It seems like a bug that never got
  fixed to the point where there are tests to make sure things are still
  calculated wrong.

 Why is it a bug? With DateTime math, reversing an operation isn't
 necessarily going to work...


Math that isn't consistent is problematic, in my book. Or, to put it
another way: if someone told me, that there is 6 years, 11 months and 30
days between 7th Feb 2000 and 6th Feb 2007, I would agree. If the same
person then told me that the interval *is also* 6 years, 11 months and 28
days *and that both intervals are correct* - I would question the sanity of
that person. I would go so far as to say: don't ever manage my calendar.

The bug as I see it is that two classes/behaviours have been packed into
one - there should be DateIntervalRepresentation and DateInterval. The
first shows you how many years, months, days, etc there are between two
dates. The second is the actual interval between two dates. The first is
context dependent - it needs anchoring in at least one date. The second is
context independent.

Either that or do away with math you can't rely on. I think what we should
aim for in programming languages is the opposite of isn't necessarily
going to work...

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

[PHP-DEV] DateInterval bug

2015-04-12 Thread Peter Lind

Hi,

I wanted to get into PHP code development so I grabbed a random bug from
bugs.php.net. Which turned out to be https://bugs.php.net/bug.php?id=69378

The problem the bug report describes is that creating a diff between two
dates and then subtracting the diff from the later date does not give you
the former date. Or, as the bug report state, this should hold:

B - (B - A) == A

But it doesn't, because of the way DateInterval and DateTime interact. A
DateInterval is broken up into years, months, days, hours, minutes and
seconds - which can be added or subtracted from a date. However, months are
not fit size, so the order in which things are added or subtracted matters.
In the bug report, the problem arises because months are subtracted before
days - and there's a huge difference between subtracting 17 days from 2.
April and from 2. March.

In itself, this isn't a big problem - but apparently this behaviour is how
the system is supposed to work. In the tests for the date extension, I
found this test for DateTime::add

echo test_years_positive__6_shy_1_day: ;
examine_diff('2007-02-06', '2000-02-07', 'P+6Y11M30DT0H0M0S', 2556);

echo test_years_negative__6_shy_1_day: ;
examine_diff('2000-02-07', '2007-02-06', 'P-6Y11M28DT0H0M0S', 2556);

The third argument in the examine_diff calls is used in the constructor
call to DateInterval. The difference is whether the interval will be
positive or negative. Note the difference of two days - if you add a
positive interval, then 7 years minus 1 day is 6 years, 11 months and 30
days. If you add a negative interval, then 7 years minus 1 day is 6 years,
11 months and 28 days.

Is there a good explanation for this behaviour (which applies both to
DateTime::add and DateTime::sub)? I've tried searching the internals list
but couldn't see any discussion of it. It seems like a bug that never got
fixed to the point where there are tests to make sure things are still
calculated wrong.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Debugging code ...

2014-11-04 Thread Peter Lind

It sounds like you're suggesting that all work on PHP that does not boil
down to bug fixes be stopped.

I'd suggest an alternative: fork PHP and only merge bugfixes in to your own
version. Best of both worlds, you get to keep your beloved PHP pristine
without any of the cumbersome new features, and the rest of us can enjoy an
evolving language.

On 4 November 2014 15:30, Lester Caine les...@lsces.co.uk wrote:

 On 04/11/14 14:01, Florian Margaine wrote:
  Hi,
 
  On Tue, Nov 4, 2014 at 2:28 PM, Lester Caine les...@lsces.co.uk
  mailto:les...@lsces.co.uk wrote:
 
  On 04/11/14 13:13, Florian Margaine wrote:
   On the basis of 'If it's not broken', what is actually broken,
  and what
   is just a matter of 'I don't like that way of working'?
  
   I have a working Annotation system that has not changed since
  I started
   working with PHP. PHPEclise simple displays the information
  from the
   docblock comments and allows me to open the relevant file. I
  can then
   review the other functions available. I can update the
  material and have
   even resorted to porting files and adding extra notes when
  trying to
   decipher other peoples work.
  
   The problem these days is that projects are stripping the
  docblock data
   as 'not the modern way of doing things' and we end up with
  code that
   does not work with the IDE. Fortunately DVCS systems have some
  other
   advantages and one can cherry pick code changes while
  maintaining a
   different style of working.
  
   In addition to 'Annotation', there is a lot of discussion
  about adding
   types into the code. Having moved to using arrays to pass data
 to
   functions, the docblock material includes details on what is
  required in
   the hash, something that you will never get from any of the
  current
   discussions?
  
   Just to add to the fun, PHPEclipse seems to have lost support
  and while
   I have learnt enough Java in the past to fix a few little
 niggles,
   currently it is unable to cope with a number of new
  developments in PHP
   so I'm stuck on just what IS the next move ... While it would
  be nice to
   get on with some new code, nothing is stable enough these days
  to allow
   that :(
  
   Right now, I'm afraid your emails looks like a rant more than
 anything
   else. I'm absolutely certain that you have something interesting
  to say,
   but the message just didn't get through. Could you elaborate?
 
  Just that what many of us have used for years is coming under
 increasing
  pressure as other people promote their own way of working. In the
 past
  we have been able to co-exist, but it is becoming increasingly
 difficult
  as people 'update' coding styles. Anything that is added to the
 'core'
  WILL be used to update third party code, but the rest of the
  infrastructure is simply not keeping up.
 
 
  I'm sorry... I may be stupid. I'm not sure I understand what you want to
  say.
  I have a guess though: are you saying that, for example, PHPEclipse at
  its version from 2008 can't cope up with PHP at its version from 2014?

 Every IDE I've used has always working nicely with docblock annotation
 and typing and has provided the facilities people seem to think should
 be built in to PHP. The problem with keeping the available IDE's up to
 date with the current code is secondary and PHPEclipse just happens to
 be my preference, but if I switch to other options I find similar lag in
 support for key features. Learning a new platform is a bigger stopper
 currently than living with the holes and I will probably fix the problem
 with :: before giving up in and changing ... but it would be nice not to
 have the hassle.

 --
 Lester Caine - G8HFL
 -
 Contact - http://lsces.co.uk/wiki/?page=contact
 L.S.Caine Electronic Services - http://lsces.co.uk
 EnquirySolve - http://enquirysolve.com/
 Model Engineers Digital Workshop - http://medw.co.uk
 Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php




-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] New globals for PUT and DELETE

2014-10-14 Thread Peter Lind

Last time it stranded here:
https://www.mail-archive.com/internals@lists.php.net/msg67294.html

And I believe it's been up a number of times before that.

On 14 October 2014 14:47, Kris Craig kris.cr...@gmail.com wrote:

 Hey guys,

 Does anybody know why we have $_GET and $_POST, but not $_PUT and
 $_DELETE?  As far as I can tell, the only way to get these out currently is
 to parse their values by reading the incoming stream directly.

 Is there a reason why we don't want this or is it just that nobody has
 actually written it yet?

 --Kris




-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Cases Where Bash Shellshock Does Not Apply (mod_php, php-fpm )

2014-09-26 Thread Peter Lind

On 26 September 2014 12:48, Andrea Faulds a...@ajf.me wrote:


 On 26 Sep 2014, at 11:46, marius adrian popa map...@gmail.com wrote:

  Maybe we need an official stance about shellshock

 Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m
 not sure there’s much we can reasonably do about it. Similarly to the
 Heartbleed bug, control is not in our hands here.


Informing people about the cases where they *might* be at risk when running
PHP doesn't seem a bad idea. Even though PHP itself is not at fault.



 --
 Andrea Faulds
 http://ajf.me/





 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php




-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Cases Where Bash Shellshock Does Not Apply (mod_php, php-fpm )

2014-09-26 Thread Peter Lind

On 26 September 2014 13:37, Ferenc Kovacs tyr...@gmail.com wrote:

On Fri, Sep 26, 2014 at 12:59 PM, Peter Lind peter.e.l...@gmail.com
wrote:

On 26 September 2014 12:48, Andrea Faulds a...@ajf.me wrote:

On 26 Sep 2014, at 11:46, marius adrian popa map...@gmail.com wrote:

Maybe we need an official stance about shellshock

Do we? As I understand it, this isn’t a PHP-level vulnerability, and I’m
not sure there’s much we can reasonably do about it. Similarly to the
Heartbleed bug, control is not in our hands here.

Informing people about the cases where they *might* be at risk when
running
PHP doesn't seem a bad idea. Even though PHP itself is not at fault.

I think we should only communicate when we have something definite to say,
and currently our official stance is that we aren't aware any problems
related to shellshock, but that doesn't mean that there is none, so I'm not
sure that we have something definite to say.
If we do end up finding something affecting significant amount of users
(even if that requires some misconfiguration or lousy fastcgi wrapper) we
could make an announcement.

I think it's worth communicating what Redhat is:
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

As a PHP dev I'd love to be able to find information like that on php.net,
not having to figure out from other sources if it pertains to me or not.

--
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] [VOTE][RFC] intdiv()

2014-07-30 Thread Peter Lind

On 30 July 2014 19:57, Sara Golemon poll...@php.net wrote:

 On Wed, Jul 30, 2014 at 10:54 AM, Andrea Faulds a...@ajf.me wrote:
  On 30 Jul 2014, at 18:51, Adam Harvey ahar...@php.net wrote:
  -1 explanation: I don't think %% is clear enough
 
  % returns the 2nd part of the integer division, %% returns the 1st.
 Surely that makes sense?
 
 That makes sense in PHP.  Probably only in PHP.


Not even in PHP.


-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

2013-09-28 Thread Peter Lind

On 28 September 2013 11:27, Madara Uchiha mad...@tchizik.com wrote:

 You guys are missing the point. This isn't a language level issue. I
 can imagine some sort of package or a library being made, some sort of
 wrapper around the current session commands, perhaps integrated into
 some sort of extension.

 But it is NOT a language level issue. This isn't a problem the
 language needs to solve, ESPECIALLY since userland implementation is
 so trivial.


I would disagree. PHP has very low security levels by default and some WTF
security issues because of default settings. It should be the other way
round: high security by default that you need to actively change if you
want it lowered.

The problem is that the majority of PHP developers for better or worse
think they can copypaste solutions to problems and forget about things
after that as long as the output on their screens look ok. For many
developers, security is an afterthought if even that. And you are, quite
simply, NOT GOING TO CHANGE THAT IN THE FORESEEABLE FUTURE.

It's not a question of whether you're right or wrong in principle - it's a
simple question of statistics. You will have close to zero impact on the
PHP developers, no matter how many blog articles you write. It is too large
and too diverse a group.

So you're stuck with two choices: accept that PHP security is lax and that
as a result a lot of code will have many attack vectors, or try to change
the language itself for the better. The third option of educate is a
mirage.

Note: I'm not saying this feature would be an overall benefit for the
security of PHP, but the reasoning behind it is right.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

2013-09-28 Thread Peter Lind

On 28 September 2013 12:25, Leigh lei...@gmail.com wrote:


 On Sep 28, 2013 10:39 AM, Peter Lind peter.e.l...@gmail.com wrote:
 
  So you're stuck with two choices: accept that PHP security is lax and
 that as a result a lot of code will have many attack vectors, or try to
 change the language itself for the better. The third option of educate is
 a mirage.
 

 PHP provides you with all the tools you need to write secure apps. I could
 go around writing mysql_query($_REQUEST[blah]) but I don't. Why? Because
 I have been educated. We don't have restrictions in the core that prevent
 me from doing it, and we don't need them either.

Care to back that up with an argument?


 I agree with you, being secure by default is a worthy objective, but the
 proposal here shouldn't even be on by default. (remember not everyone is
 able to control their ini settings and whatnot)

Worthy objective? You just stated your opinion that you don't want default
protection in the core language. Which is it?


 Education is not a mirage. People picked up their insecure coding habits
 from somewhere, and if its from laziness then I don't think they really
 deserve protecting. If it was from a terrible blog article promoting
 insecure practices then we need better articles. There's not much we can do
 to remove the content that's already out there, but there's a lot we can do
 with providing new, up to date and accurate content.


How many years have PHP been around? For how long have we been trying to
educate people to avoid mysql_* functions? Has it worked? No. You can
educate a fair amount of people but when you have the userbase of PHP it's
downright stupid to think you'll get the majority on board.

Also, saying that people deserve what they get because they're not educated
developers, is being arrogant.


-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

2013-09-27 Thread Peter Lind

On 27 September 2013 12:12, Leigh lei...@gmail.com wrote:

 On 26 September 2013 11:32, Tjerk Meesters tjerk.meest...@gmail.com
 wrote:
 
  On Thu, Sep 26, 2013 at 6:19 PM, Leigh lei...@gmail.com wrote:
 
  There's several scenarios where a users IP changes and you don't want to
  drop their session. (That doesn't mean it should simply have an option
 to
  disable it either)
 
 
  Let's be clear here: this won't happen (in most cases), because the
 client
  will simply get a new cookie and the session will keep working; it's like
  what you would implement if your user level goes from anonymous to
 logged in
  and vice versa.

 Right, so maybe I misunderstood the intent of this.

 I was reading it as: valid SID on new IP = drop session, which to me
 seems like the more secure approach.

 What you're saying is is when a valid SID is supplied on a new IP, you
 regenerate the SID and the session continues to be valid on the new
 IP?

 So on a successful session hijack (correct SID, new IP) the attacker
 gets a new SID and keeps the valid session while the legitimate user
 gets kicked out.

 Not seeing how that improves things at all.

 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php


In your scenario, user gets booted and thus knows somethings wrong. Much
better than the attacker hijacking the session without the user knowing
anything at all.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Regenerating session ID automatically when IP address has changed

2013-09-27 Thread Peter Lind

On 27 September 2013 12:54, Leigh lei...@gmail.com wrote:

 On 27 September 2013 11:39, Peter Lind peter.e.l...@gmail.com wrote:
  On 27 September 2013 12:12, Leigh lei...@gmail.com wrote:
 
  So on a successful session hijack (correct SID, new IP) the attacker
  gets a new SID and keeps the valid session while the legitimate user
  gets kicked out.
 
  Not seeing how that improves things at all.
 
  In your scenario, user gets booted and thus knows somethings wrong. Much
  better than the attacker hijacking the session without the user knowing
  anything at all.
 
  Regards
  Peter

 And what is done to invalidate the session now gained by the attacker?
 Since this is a proposal to handle such things internally.


And what is done when the user thinks everything is fine and dandy? My
point was that the scenario you created did not pose a problem - if
anything it would be a benefit (as you actually *can* detect some problems
now).

Do you really think random user X will think something is wrong beyond
 the site they were using just kicking them out for no reason? So now
 what do they do now? Log in again? The attacker still has the
 previously valid session, so nothing is gained.


That's for the userland code to decide.


 This is exactly why this kind of logic belongs as user code. We're
 starting to define rules for a system that should be agnostic to how
 it is being used.


I would agree. I was just pointing out that your example was not in fact
much of an argument against the proposal.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Re: Parsing PUT data

2013-09-24 Thread Peter Lind

On 24 September 2013 16:59, Daniel Lowrey rdlow...@gmail.com wrote:

 The bigger issue here is that the superglobals are a leaky abstraction. Any
 HTTP request method is allowed to have an entity body, so should we also
 create $_PATCH and $_PUT and $_ZANZIBAR to handle less-frequently used
 request methods? Where does it stop? This is the problem I see with all the
 requests to support for PUT similarly to POST. PHP web SAPIs support 95% of
 the HTTP use-cases people have, but the abstractions break down after that
 and continuously bolting on support for individual scenarios beyond that
 would be a mistake IMO.


Supporting the base set would not seem a bad idea, I'd say -
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9

PUT is not exactly exotic, though it might not be as used as it could be -
however, with the focus on REST APIs that is changing. Your argument makes
good sense for random HTTP verbs - but suggesting we shouldn't support easy
access to the basic set because where does it stop is not a very good
argument, in my eyes.

Regards
Peter

http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9--
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Feature Proposal: Allow letter decrementing

2013-07-19 Thread Peter Lind

Interesting to note that although Perl 6 is apparently capable of
decrementing strings, it doesn't fully mirror the incrementing:

http://feather.perl6.nl/syn/S03.html#line_516

Specifically: decrementing 'AAA' would not turn into 'ZZ' but would error,
according to that link

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Feature Proposal: Allow letter decrementing

2013-07-19 Thread Peter Lind

On 19 July 2013 11:18, Dan Cryer d...@dancryer.com wrote:

 What's the intended use case for string increment / decrement?


Personally, I instantly think of mirroring spreadsheet columns - works
quite well in that context.


 It just seems like madness to me, using mathematical operators with
 strings, producing seemingly arbitrary results in some circumstances (C -
 B - A - NULL / False ?).


Throw a warning and don't decrement A/a any further - that's not arbitrary.


 Also what happens in other languages? Take for example German, in which ß
 comes after S, Ü after U, and so on.


Nothing, works purely on ascii, as is currently the case. Perl handles
other character sets though - see the link I posted for details on how.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Feature Proposal: Allow letter decrementing

2013-07-19 Thread Peter Lind

On 19 July 2013 12:34, Yasuo Ohgaki yohg...@ohgaki.net wrote:

 Hi,

 2013/7/19 Peter Lind peter.e.l...@gmail.com

 On 19 July 2013 11:18, Dan Cryer d...@dancryer.com wrote:

 What's the intended use case for string increment / decrement?


 Personally, I instantly think of mirroring spreadsheet columns - works
 quite well in that context.


 ++/-- 'XYZ1234' would have use cases.




 It just seems like madness to me, using mathematical operators with
 strings, producing seemingly arbitrary results in some circumstances (C -
 B - A - NULL / False ?).


 Throw a warning and don't decrement A/a any further - that's not
 arbitrary.


 -- is more problematic.
 --'XYZ' would be 'XYZ' or 'XYY0' or 'XYY'?


php -r '$a = YZ9; var_dump(++$a);'
gives me ZA0

If  php -r '$a = ZA0; var_dump(--$a);' doesn't give YZ9 you'll just be
left scratching your head.

Granted, you might be left scratching your head as to why string
incrementing works at all, but that can of worms was opened long ago.

It would be better not to change length of string, IMO.
 e.g. --'XYZ' became 'XYY'


I'd go with --XYZ - XYY
Also, the string length shouldn't factor into it.


 All chars would stop decrement at lowest chars of [0-9], [a-z], [A-Z].
 e.g. Lowest value of 'XYZ' is 'AAA'.

 This is not a symmetric operation of ++, but it's impossible to achieve
 symmetric
 operation ++/-- on strings anyway.


Only at the edge case - and I personally can't see why that would mean
asymmetric operation in the rest of the cases.


-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] RFC Proposal: New assign value operator

2013-06-27 Thread Peter Lind

On 27 June 2013 11:04, Tom Oram t...@scl.co.uk wrote:

 Hi Richard,

 Thanks for your reply, the main reason would be operator overloading rather
 than the typecasting example, the typecasting version is more for
 consistency. I am also fairly that there might be situations where it would
 be useful to set the value of a scalar while preserving the time and save
 the need for checking the type first, however I do admit I can't think of a
 concrete example.

 The main thing I was thinking is I often find myself writing things like:

 $obj-set(2);

 $obj-setValue(5);

 $obj-setX(4);

 Where the object only really represent a single value, examples are things
 like EmailAddress class, ZipCode class, MoneyValue class, etc.


What's the reason you're not doing:

$obj = new EmailAddress('m...@example.com');

or

$obj = new Money('16.99', new MoneyType('USD'));

... actually, email is the only one of the above mentioned classes, that
could have just one value (neither zip code nor money make sense without
context, as zip codes and money depend on locale). That's an aside though.
Main question being: are you arguing for operator overloading in PHP when
you should just use better constructors?

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] property de-referencing

2013-05-01 Thread Peter Lind

On 1 May 2013 14:35, Rasmus Schultz ras...@mindplay.dk wrote:

 
  This is a fringe feature, as evidenced by the fact that you
  are having a hard time convincing people that it is needed


 As with anything that isn't already established and well-known, it's hard
 to convince anyone they need anything they don't understand - I think the
 barrier here is me having difficulty explaining a new idea/concept. That
 doesn't make it a fringe feature - I have already demonstrated by example
 how this would be useful in practically every mainstream framework.


Then why are you not convincing them first to get them on board as support
for your proposal. Right now you're obviously fighting an uphill struggle.
Whether that's because your proposal is without merit or because you have a
hard time convincing people on this mailing list remains to be seen - so
how about taking a smarter approach and convincing your target audience
first, then come back here with more support and a better proposal?

Just a thought.

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] property de-referencing

2013-05-01 Thread Peter Lind

On 1 May 2013 14:55, Rasmus Schultz ras...@mindplay.dk wrote:

 Then why are you not convincing them first to get them on board as support
 for your proposal.


 It's not a proposal yet - I didn't want to write a lengthy RFC just to
 learn that all I had was a brainfart, or that everyone was going to be
 totally opposed. Having the discussion here surfaced a ton of questions
 that (so far) indicate (to me) that this might be a good idea, and also
 helps me address all of those questions if I do end up writing an RFC.

 If you think gathering the information in an RFC is the next logical step,
 I will try to find the time :-)


I think that 1) you might as well start the work now, both to give people a
place to get an overview of the discussion and to gather up the questions
of which there are already a few, and that 2) if you don't start by
reaching out to your indicated main audience (frameworks) then you won't
get the support the idea needs. Also, 3) as your indicated audience is
frameworks they will presumably have a lot of feedback - including your
basic no we don't need this or this would be awesome.

Note that I don't think frameworks would necessarily be the sole audience
for this - I just think your time would be better spent taking the idea
there first.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Proposed changes to PHP language

2013-03-06 Thread Peter Lind

On 6 March 2013 15:50, Alexandre TAZ dos Santos Andrade 
alexandre...@gmail.com wrote:

 This item
 2. Introduce base class for all PHP classes. E.g. Object. It would help
 in type hinting and allow to add new common methods without any magic.

 StdClass Already do that


?php
class A
{}


$obj = new A();
var_dump($obj instanceof StdClass);

Result:
bool(false)


  3. Parse body of PUT request in the same manner as it's done for POST

+1

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

Re: [PHP-DEV] Dropping requirement for `function` keyword for methods in classes/interfaces/etc

2013-02-19 Thread Peter Lind

On 20 February 2013 00:12, Nikita Nefedov inefe...@gmail.com wrote:
 On Tue, 19 Feb 2013 19:10:22 -, Rasmus Lerdorf ras...@lerdorf.com
 wrote:

 On 02/19/2013 03:07 PM, Nikita Nefedov wrote:

 Are you grepping for all the functions or you are grepping just for some
 specific function? If so, you are likely already know what visibility
 this function has, so couldn't you grep for `public %functionName%`
 instead of `function %functionName%`?
 At the end, you can always use `grep
 '(function|public|private|protected) functionName' file`, and if it's
 long to type, you can make sh script, or even alias.


 public is the default visibility so it is often left off, so no, I can't
 grep for that.

 -Rasmus


 As Sara noted, we shouldn't let users define methods without modifiers at
 all, so at least public/private/protected will have to be there.


 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php


Just a quick check: you're absolutely certain this issue isn't much
better/easier handled with IDE macros/plugins? Something along the
lines of zen coding? If you're really that obsessed with typing 9
characters less, you must have considered keyboard shortcuts that let
you type the docblock, visibility, etc. in just 3-5 keystrokes.

Just a thought from userland
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Re: release frequency?

2013-01-06 Thread Peter Lind

As an outsider I would say consistency is king. Knowing that I can
rely on when new versions come out is much more important than whether
they contain 9 or 11 bug fixes. So, pick a schedule that works and
stick to it.

Just my thoughts.


--
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Core liason for PHP FIG

2012-12-16 Thread Peter Lind

You realize that this is not the list of PHP FIG, right?

On 16 December 2012 15:26, Lester Caine les...@lsces.co.uk wrote:
 Lars Strojny wrote:

 for all of you who don’t know, PHP FIG (Framework Interoperability
 Group,http://www.php-fig.org/) discusses ways frameworks and libraries can
 work together and integrate much easier. Current PSRs are PSR-0 to
 standardize autoloading, PSR-1 and PSR-2 that deal with coding styles. All
 three are great initiatives so far in bridging gaps between projects and
 making the PHP ecosystem, well, rounder.


 Well I'm already classed as a dinosaur, but I have been requesting a guide
 to writing code these days, however some of the MUST elements of PSR-2 are
 totally opposite to the style guide that I have worked with for years and I
 see no point in arbitrary having to restyle 10+ years of code. Trying to
 restyle for e_strict is bad enough.

 As an example ...
 Code MUST use 4 spaces for indenting, not tabs.
 WHY - tab's has been the standard for all my C/C++ code and every other
 language and is automatically tidied up to that format by my editor. When
 did a switch of this 'rule' come in? Or is there a plan to switch all of the
 core code base to follow the same rule? ;)

 At the end of the day PHP FIG is simply an example of one style of working.
 It is perhaps the style that many developments in core are following as
 well? But it not the only way of working? Personally I prefer to avoid
 'magic loading of files' and stick with specifying what files are load and
 from where. Avoids problems with different distributions changing the rules
 themselves! I see no hope of promoting a 'flat platform' staring point,
 since each distribution loves to promote it's own style of working, and
 running PHP on top of THEIR version of the world makes some standards
 academic? Where ARE files loaded tends to be the first problem when
 debugging a new distribution :(

 --
 Lester Caine - G8HFL
 -
 Contact - http://lsces.co.uk/wiki/?page=contact
 L.S.Caine Electronic Services - http://lsces.co.uk
 EnquirySolve - http://enquirysolve.com/
 Model Engineers Digital Workshop - http://medw.co.uk
 Rainbow Digital Media - http://rainbowdigitalmedia.co.uk


 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php




-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] E_STRICT 'errors' - was Are exceptions allowed in php core?

2012-09-04 Thread Peter Lind

On 4 September 2012 15:09, Lester Caine les...@lsces.co.uk wrote:
 Pierre Joye wrote:

 On Tue, Sep 4, 2012 at 2:51 PM, Lester Caineles...@lsces.co.uk  wrote:

 ??? OH YES IT DOES !!!
 MANY times I get a a few lines of text on a white screen ...
 Switch off E_STRICT and everything works fine ... as it was on PHP5.2

 If you have any doubts about how to configure your development or
 production servers, how to use logs or how to effectively debug php
 applications, please ask questions on php-general or php-setup mailing
 lists.

 Thanks for your understanding,

 Butt out Pierre ...

 I keep being told that there is nothing wrong with E_STRICT, and again
 someone has said that it does NOT cause crashes. I beg to differ here - IT
 DOES!
 Now if you are saying that I need to document these crashes as they SHOULD
 not be happening then I'll roll things back and start doing that, but *I*
 thought that these crashes were simply a known effect of using E_STRICT? And
 so I followed the directions, and switched E_STRICT off. On production
 machines of PHP5.3 with E_STRICT enabled and on PHP5.4 one gets white screen
 crashes using older code ... as far as I was concerned that was a known
 fact. Switch it off and everything runs fine!


From php.ini:
; display_errors
;   Default Value: On
;   Development Value: On
;   Production Value: Off

In a production environment with display_errors off, E_STRICT doesn't
crash anything. Actually, even with it on, it doesn't crash anything -
shitty code does, by creating notices and then using header() calls
afterwards to create redirects.

Solution: fix your server. Fix your code. It worked for the rest of us.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] RFC for Adding __toString to DateTime

2012-09-03 Thread Peter Lind

Best solution from a random developers perspective:
- stick the 4-line solution in the docs and on to the bug report. Then
mark as won't implement

It's a far better solution than choosing a random format for users, as
should be more than evident by now.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions

2012-07-31 Thread Peter Lind

On 31 July 2012 18:21, Anthony Ferrara ircmax...@gmail.com wrote:

*snip*


 Also, be aware that BCrypt only uses the first 72 characters of the
 password field. So if you use a hex encoded sha512 output, a good deal of
 entropy would be lost (almost half of it)...


Seeing as the hashing function will default (at first, at least) to
bcrypt, would it be possible to add a warning if it's given an input
longer than 72 chars? Preferably make the function context-aware so
you don't get the same warning if using sha512. Otherwise I predict
that someone will do:

$hash = password_hash($my_128_char_pepper . $password, PASSWORD_DEFAULT);

Which obviously renders the hashing useless, as you'll be hashing the
same 72 chars over and over again. Which, currently, crypt() let's you
get away with without as much as a hiccup.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PROPOSED] password_hash RFC - Implementing simplified password hashing functions

2012-07-31 Thread Peter Lind

On 31 July 2012 22:02, Anthony Ferrara ircmax...@gmail.com wrote:
 Peter,

 On Tue, Jul 31, 2012 at 3:46 PM, Peter Lind peter.e.l...@gmail.com wrote:

 On 31 July 2012 18:21, Anthony Ferrara ircmax...@gmail.com wrote:

 *snip*

 
  Also, be aware that BCrypt only uses the first 72 characters of the
  password field. So if you use a hex encoded sha512 output, a good deal
  of
  entropy would be lost (almost half of it)...
 

 Seeing as the hashing function will default (at first, at least) to
 bcrypt, would it be possible to add a warning if it's given an input
 longer than 72 chars? Preferably make the function context-aware so
 you don't get the same warning if using sha512. Otherwise I predict
 that someone will do:

 $hash = password_hash($my_128_char_pepper . $password, PASSWORD_DEFAULT);

 Which obviously renders the hashing useless, as you'll be hashing the
 same 72 chars over and over again. Which, currently, crypt() let's you
 get away with without as much as a hiccup.


 That's actually a very good idea.

 I'm curious though. Should we warning? Or should we sha512 hash (to bring
 down to 64 chars)...  That's something I think would be worth reaching out
 to the crypt() maintainers for advice...

I'd be wary of not doing what people actually expect - i.e. hash the
provided string with the specified algo. Better to educate the users,
I'd say, through a warning. Anyway, as you said, would be good to get
other opinions on this.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
CV: careers.stackoverflow.com/peterlind
LinkedIn: plind
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Adding a simple API for secure password hashing?

2012-06-14 Thread Peter Lind

* snip*

 Stas has the right approach, not only should the methods be simplified and
 platform/algorithm agnostic but have a proper salt built in (there are a
 few CSPRNG implementations around), I've seen salts used from numbers to
 md5's to just being skipped altogether.

 Well, just to be clear, a salt does not need a CSPRNG. All it needs to
 be is reasonably unique. In fact, I wouldn't make it CS, as that would
 deplete the available entropy in the system for CSPRNG generation.

Whether or not a CSPRNG is needed depends on what you're doing, your
needed level of security. Perhaps add a parameter to control this, so
it would be possible to make use of this function even if you need the
maximum level of security? If it's not available, the function should
fail in some suitable fashion.

*snip*

 Or, we could implement a system like I did in
 https://github.com/ircmaxell/PHP-CryptLib/tree/master/lib/CryptLib/Random
 that follows RFC4086: http://tools.ietf.org/html/rfc4086#section-5.2
 Where it mixes together several sources of weak and moderate strength
 PRNG...

Will the entropy multiply by mixing sources? I.e. will the result be
more random? Won't it just be as random as the most random source?

Other than that, the SPL version seems like a nice idea.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Adding a simple API for secure password hashing?

2012-06-14 Thread Peter Lind

On 14 June 2012 15:35, Anthony Ferrara ircmax...@gmail.com wrote:
 Peter,

 Whether or not a CSPRNG is needed depends on what you're doing, your
 needed level of security. Perhaps add a parameter to control this, so
 it would be possible to make use of this function even if you need the
 maximum level of security? If it's not available, the function should
 fail in some suitable fashion.

 For password hashing, it won't ever be needed for the salt. The salt
 is not a secret in the context of cryptography. But, on that note, if
 we were adding a stronger PRNG generator, it would be good to expose
 it natively. And that native exposure would likely take a parameter
 for CS-safe PRNG...

I would say it really depends upon the project. The salt can not only
protect against rainbow tables and password hash collisions, if it is
unknown to an attacker then it essentially acts to further strengthen
the hash by vastly expanding the keyspace. Supposing an attacker is
trying to get at the password for just one user account (say, admin)
and the hashed password is available - if the salt can be
predicted/guessed, then the keyspace is reduced to that of an unsalted
password and you can run a dictionary attack on the hash. If, on the
other hand, the salt is unpredictable and you don't have access to it,
there is no way to run a dictionary attack (offline, that is). The
security here depends upon storage as well, but the point remains - a
salt isn't by default something you can make public knowledge.

It might be a theoretical concern for most people and the people
really wanting the extra level of security would probably know well
enough how to get exactly what they need - but if provisions are made
so you could reuse the same function you might also be able to educate
developers better. I.e. make it easy to do the right thing and more
people will do it.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Adding a simple API for secure password hashing?

2012-06-14 Thread Peter Lind

On 14 June 2012 17:50, Ángel González keis...@gmail.com wrote:

*snip*

 May I ask how would you end up at the situation where the attackers have
 the password hashes but not the salt?

 Any process which needs to read the password hashes will also need
 knowledge of the salt. Thus an attacker would most likely also know both.
 That's precisely how salts are designed to work.

If your salts are not stored with your password hashes, then an sql
injection that would leak your password hashes would not leak the
salts. The recent database leaks come to mind: had they only contained
password hashes but no salts (I know the hashes were unsalted, but
*had* they been salted ...) attackers would have faced an impossible
task trying to bruteforce even just one hash. Otherwise, you'd be able
to focus on a given account (an admin account comes to mind) and spend
all your efforts on that using the typical options.

As pointed out once or twice, for most people/purposes, it's a
theoretical discussion. That doesn't mean it shouldn't be taken into
consideration though (people rarely break into your house where you
expect them to).


 I admit you could have a common salt for all users stored in php and
 only a leak of the database. But such salt would most likely be provided
 by the user, generated using a different program... expected to be secure.
 Using a shared salt is worse than a uniqe salt per user, so that's not
 something to promote either.
 You wouldn't be educating in the right way.

And I'm obviously not advocating a shared salt (at least, I wasn't
thinking I was, especially seeing as I asked for a parameter in
function to make sure that salts would be more random).

Regards
Peter


-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] running tests in parallel?

2012-05-03 Thread Peter Lind

On 3 May 2012 13:12, Derick Rethans der...@php.net wrote:
 On Thu, 3 May 2012, zoe slattery wrote:

 (a) Would it still be helpful if the tests could be run faster?

 Yes.

Running the tests on my netbook takes a very long time - yet is
presumably still a good thing to do. Having them run in parallel would
be a very nice feature :)

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] skipping optional parameters

2012-04-18 Thread Peter Lind

On 18 April 2012 07:56, Alexey Shein con...@gmail.com wrote:

*snip*


 One question about implementation:
 Given we have this function
   function create_query($where, $order_by, $join_type='', $execute = false, 
 $report_errors = true) {}
 and this statement
 On the engine level, it will be implemented by putting NULL in the place 
 where the parameter is passed.

 what value $join_type will get on this call?
 create_query(deleted=0, name,,, /*report_errors*/ true);

 NULL or empty string? I.e. will optional parameters always get NULLs
 or their default values?

It needs to be the default values, otherwise it will be a huge WTF for
developers.

With that in mind: +1 if default values are used when skipping
parameters, -1 if NULL is used when skipping parameters (not that I
have voting power, just showing preferences/support).

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Exceptions for method on non-object rather than fatal (desired feature?)

2012-02-22 Thread Peter Lind

On Feb 22, 2012 7:05 PM, Larry Garfield la...@garfieldtech.com wrote:

 On 2/21/12 5:45 PM, Tjerk Meesters wrote:

 On 22 Feb, 2012, at 2:03 AM, Ralf Langl...@b1-systems.de  wrote:

 I see no reason why it would be not desirable to have PHP raise the
 exception rather than putting more or less repeating code snippets all
 around the place. That is why I am asking.


 You must be returning false/null somewhere. It's the same effor to
 instead throw an exception or to return a Ghost family member.


 The $baby-mother() method cannot know if the using code just wants to
collect the $mother object or execute code on it. It can also not know if
having no $mother is a problem or just a fact to deal with. Unconditionally
raising an exception is a bit overkill here, at least if we would get an
exception for trying to access (null)-mother();

 Currently the user code must check each link of the chain if it is
available, although it is only interested if it can get the final result or
not.

 I'll follow the suggestion and write an RFC.


 You'll have my vote! :) bloating code with chainable checks is just
crazy, something that the engine can do much more efficiently and
unambiguously.


 I would also support this.  There's a myriad reasons why something may
return NULL or FALSE when you expect it to return an object, some of them
even legitimate.  Any function/method whose documentation line is returns
the foo object, or NULL if someone screwed up and there isn't one is
perfectly reasonable in many cases, IMO, but makes all chains a potential
fatal.  An exception would make a lot more sense, and allow us to
centralize handling of such exceptional cases rather than throwing
if-checks everywhere.  (Which is exactly what exceptions are for.)

 --Larry Garfield


 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php


Seems to me this change would encourage bad habits (breaking the law of
Demeter) which would personally put me against it.

Regards
Peter

Re: [PHP-DEV] Exceptions for method on non-object rather than fatal (desired feature?)

2012-02-22 Thread Peter Lind

On 22 February 2012 20:04, Larry Garfield la...@garfieldtech.com wrote:
 On 2/22/12 12:37 PM, Peter Lind wrote:

 I would also support this.  There's a myriad reasons why something may

 return NULL or FALSE when you expect it to return an object, some of them
 even legitimate.  Any function/method whose documentation line is returns
 the foo object, or NULL if someone screwed up and there isn't one is
 perfectly reasonable in many cases, IMO, but makes all chains a potential
 fatal.  An exception would make a lot more sense, and allow us to
 centralize handling of such exceptional cases rather than throwing
 if-checks everywhere.  (Which is exactly what exceptions are for.)


 --Larry Garfield


 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php


 Seems to me this change would encourage bad habits (breaking the law of
 Demeter) which would personally put me against it.

 Regards
 Peter


 How?  What bad habit does this encourage?


 --Larry Garfield


As I wrote, the law of Demeter (http://en.wikipedia.org/wiki/Law_Of_Demeter)

The OP started out with this code example, as a reason to introduce the change:

$granny_name = $baby-getMother()-getMother()-getName();

The code shouldn't be aware of all the links, it's a bad habit. Rewrite to:

$granny_name = $baby-getGrandmother()-getName()

or

$granny_name = $baby-getGrandmotherName();

And with the latter, you've reduced the amount of checks you have to
do, by putting them in the proper places (if baby and mother objects
inherit from the same class you've essentially got one check on null
inside getMother(), not many spread out in client code). Also, the
client code now only knows about the immediate surroundings - and
should obviously know if getGrandmother() or getGrandmotherName() can
throw exceptions.

So as far as I'm concerned, the feature proposed just makes it a
easier to couple your code more tightly. I'd rather the language
discouranged that - or at least not encourage it.

Regards
Peter


-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] 5.4's New De-referencing plus assignment

2011-11-30 Thread Peter Lind

On 30 November 2011 19:59, Will Fitch will.fi...@gmail.com wrote:
 Again, back to my question of why not use:

 MyComponent::factory($bar, $option);

 Depending on what ::factory does, it could then pass $option(s) to the 
 constructor or method getting your instance needed.


It brings to mind a review of Dart by a perl-guy
(http://blogs.perl.org/users/rafael_garcia-suarez/2011/10/why-dart-is-not-the-language-of-the-future.html).
Specifically:

I should note that the integration of popular design patterns at the
syntax level is disappointing: design patterns tend to emerge to work
around a language design's weaknesses. Embracing them is a bit like
admitting a design failure up front.

The proposed change has the same feel to it.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Final version, RFC release process

2011-06-02 Thread Peter Lind

On 2 June 2011 10:23, Pierre Joye pierre@gmail.com wrote:
 On Thu, Jun 2, 2011 at 7:32 AM, Peter Lind peter.e.l...@gmail.com wrote:

 Sorry for jumping into the thread, but I couldn't help noting that you seem
 confused about the distro suggestion. I think Ubuntu was the example, and
 there's nothing random at all about their release process. There are fixed
 timelines and life cycles in Ubuntu - having less branches does not in any
 way stop them from having a fixed release process and schedule.

 It is about random release being chosen as LTS. For many users, it
 will preventing migration until a given feature is part of a LTS
 release.

 Our proposal to have fixed life time and release cycles does not have
 this random effect and each x.y release is equally supported for the
 same duration. The amount of branches can be reduced easily and even
 if we may have many at one point, it will be only about sec fixes,
 that's really not a problem (a bit of automated tasked will help here
 too).

Then it's an argument about wording, not content. See
https://wiki.ubuntu.com/Releases : the LTS have fixed life time and
come at fixed intervals - basically exactly the same you propose with
fixed life time and release cycles.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Final version, RFC release process

2011-06-02 Thread Peter Lind

On 2 June 2011 12:40, Pierre Joye pierre@gmail.com wrote:

*snip*


 No, it is the same that what we proposed. What we proposed is that
 every release is actually a LTS release. What Ubuntu uses works fine
 for distros given that it is a distro with an insane amount of totally
 unrelated projects they distribute, and alternative repositories exist
 for almost each of them.

 For a programming language, it is a totally different story.


That makes more sense - you were, however, arguing against random LTS
releases which was rather confusing (there's a big difference between
every release is an LTS and all LTS releases are random - those
are not the only options).

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Final version, RFC release process

2011-06-02 Thread Peter Lind

On 2 June 2011 13:03, Pierre Joye pierre@gmail.com wrote:
 On Thu, Jun 2, 2011 at 1:01 PM, Peter Lind peter.e.l...@gmail.com wrote:
 On 2 June 2011 12:40, Pierre Joye pierre@gmail.com wrote:

 *snip*


 No, it is the same that what we proposed. What we proposed is that
 every release is actually a LTS release. What Ubuntu uses works fine
 for distros given that it is a distro with an insane amount of totally
 unrelated projects they distribute, and alternative repositories exist
 for almost each of them.

 For a programming language, it is a totally different story.


 That makes more sense - you were, however, arguing against random LTS
 releases which was rather confusing (there's a big difference between
 every release is an LTS and all LTS releases are random - those
 are not the only options).

 The randomness is about which release-features tuples would become a
 LTS, that's something that can't apply well to a project like php.


It's hard to see how that would be any more or less random than now,
given that it would still be a question of votes or consensus.
Presumably, features would not be removed (unless they were bad for
the language) and so they would still make it into LTS releases - the
next one up.

Anyway, I'll stop it here, as I doubt I'll convince you of anything
(and vice versa).

Just one thing to add: thanks for the work on PHP :) Much appreciated.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [PATCH] Notice on array to string convertion

2011-06-02 Thread Peter Lind

On 2 June 2011 16:50, Reindl Harald h.rei...@thelounge.net wrote:


 Am 02.06.2011 16:24, schrieb Marcel Esser:
 I am not convinced that making this an error is a good idea.

 If I receive a $_GET/$_POST value that I expect to be a string value, but I 
 actually received an array, this would
 mean I need to now explicitly check for it, since it will stop the runtime 
 otherwise.

 so fix your code jesus christ

How about you take your medication, then chill down, then consider
your messages a couple of times before sending? It would make the
atmosphere quite a bit nicer.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Final version, RFC release process

2011-06-01 Thread Peter Lind

On Jun 2, 2011 12:46 AM, Pierre Joye pierre@gmail.com wrote:

 hi Chris

 On Thu, Jun 2, 2011 at 12:34 AM, Christopher Jones
 christopher.jo...@oracle.com wrote:
 
 
  On 06/01/2011 03:09 AM, Pierre Joye wrote:
 
  URL: https://wiki.php.net/rfc/releaseprocess
 
  Pierre,
 
  There are some immediately practical things here.  Some things will
  be a large jolt for the community and might be better introduced in
  future releases.
 
  Chris
 
  Good:
   - Scheduled releases
   - Use of RFCs
   - No PHP script breakages in x.y.z+1 releases
 
  Too complex or not good:
   - Number of concurrent branches: Johannes's suggestion was good

 This proposal for distros not for programming languages or similar
 tools. All users I talk to need fixed timeline, life cycle, etc. to
 have a clear and plan-able way to deal with php versions.


Sorry for jumping into the thread, but I couldn't help noting that you seem
confused about the distro suggestion. I think Ubuntu was the example, and
there's nothing random at all about their release process. There are fixed
timelines and life cycles in Ubuntu - having less branches does not in any
way stop them from having a fixed release process and schedule.

Regards
Peter

Re: [PHP-DEV] [RFC] Return type-hint

2011-04-29 Thread Peter Lind

On Apr 29, 2011 4:47 PM, Martin Scotta martinsco...@gmail.com wrote:


  Martin Scotta


 On Thu, Apr 28, 2011 at 5:15 PM, Peter Lind peter.e.l...@gmail.com
wrote:

 2011/4/28 Martin Scotta martinsco...@gmail.com:

 * snip *

  IMHO I would not trust on any return value, as PHP did not ensure
anything
  about them.
  Even more, I do not write code that depend on return values, I prefer
to
  use input/output parameters,

 I cannot help but wonder why PHP is your language of choice. I mean no
 disrespect, but PHP does not have strict typing (for a reason) and
 forcing it upon PHP seems strange to me. Seeing as a) you'll either
 have to implement the return type hinting yourself in which case you'd
 know anyway what the return value is or b) you'd have to have others
 implement it in their libraries in which case you'd have to wait years
 for any noticeable effect, the feature seems useful only in edge cases
 (such as Hiphop, which I think one can question the mainstream
 usefulness of, currently).


 I understand why PHP does not have strict typing as much as I understand
why PHP do not have good-qualities third-party libraries.
 I'm not saying that there aren't good libraries, but the language has many
holes that makes almost impossible to build solid library (ie: include)

I have come across good php libraries. In fact, I haven't used ant really
bad ones. Again, maybe its a question of different environments - but I
cannot see any reason why building a library should be inherently harder in
php than strictly-typed languages.

 All the strictness of ppp, typehint and the like are not restrict things,
they are meant as boundaries for client code, to ensure the correct and well
defined behavior.

There's a very big difference between ppp and typehinting. As Stas noted,
they serve very different purposes - and while ppp typically goes with oop
(though not in every language), strict typing is not in any way necessary to
do oop. That should be obvious given the large amount of working oop code
out there.

 It's ok if you write all you code as procedural, or you don't like to
write classes, but IMHO the language should provide a solid foundation for
them, this way you can rely on libraries for common task and make your
procedural code even simpler, shorter and safer.

My background was assembler before languages like php. To me, strict typing
makes it harder, not easier, to make or use a good library. That's not to
say that strict typing is bad - just that what you need depends on your
experience. I've never had a need for strict typing in php, I don't find
myself making the errors that strict typing solves in, say c#.

 I'm not sure if return typehint will be a good idea, but I'm not against
it.
 I believe the language has to deal with other pending stuff prior to
this. PHP has many blind areas, whenever you call something, you don't know
if you will return or it will just die in a non-sense Fatal error.

Honestly, I've never had this problem, and I'd like to hear mire of your dev
environment to see what leads to them :)

Regards
Peter


 Personally, I read code if I'm not sure what a given function/method
 will return - or just test. I actually thought unit tests took care of
 issues like this. I don't think having a list of possible return
 values would make things simpler than the good old try it and see -
 which is one of the greatest assets of PHP.

  This is the safer way I've found to achieve the same behavior
 
  function no_return(ReturnStatus $returnStatus) {
doSomething();
 
if ( itWasOk() )
{
$returnStatus-setReturnValue( new Foo ); // return type hint
$returnStatus-success(); // return status
}
elseif ( isWasCritical() )
{
$returnStatus-setException( new RuntimeException );
$returnStatus-exception(); // return status
}
else
{
$returnStatus-fail(); // return status
}
  }
 
  Of course I don't write all functions like this.
  This is pattern I use when I need to ensure that the type returned is
valid.

 I just return what I need to from the function/method or throw an
 exception. Indicating that you want to throw an exception instead of
 actually throwing one seems ... overly polite, at best. As far as I
 can tell, you'd have to check the ReturnStatus object anyway, so I
 don't see how you're any safer (PHP has functions for checking null
 values, false values, try/catch blocks and other things too). But
 maybe we're dealing with very different development environments and I
 just cannot see the usefulness of the suggested as it wouldn't make a
 positive difference in mine.

 Just a perspective from a typical webdev.
 Regards
 Peter

 --
 hype
 WWW: plphp.dk / plind.dk
 LinkedIn: plind
 BeWelcome/Couchsurfing: Fake51
 Twitter: kafe15
 /hype

Re: [PHP-DEV] [RFC] Return type-hint

2011-04-28 Thread Peter Lind

2011/4/28 Martin Scotta martinsco...@gmail.com:

* snip *

 IMHO I would not trust on any return value, as PHP did not ensure anything
 about them.
 Even more, I do not write code that depend on return values, I prefer to
 use input/output parameters,

I cannot help but wonder why PHP is your language of choice. I mean no
disrespect, but PHP does not have strict typing (for a reason) and
forcing it upon PHP seems strange to me. Seeing as a) you'll either
have to implement the return type hinting yourself in which case you'd
know anyway what the return value is or b) you'd have to have others
implement it in their libraries in which case you'd have to wait years
for any noticeable effect, the feature seems useful only in edge cases
(such as Hiphop, which I think one can question the mainstream
usefulness of, currently).

Personally, I read code if I'm not sure what a given function/method
will return - or just test. I actually thought unit tests took care of
issues like this. I don't think having a list of possible return
values would make things simpler than the good old try it and see -
which is one of the greatest assets of PHP.

 This is the safer way I've found to achieve the same behavior

 function no_return(ReturnStatus $returnStatus) {
   doSomething();

   if ( itWasOk() )
   {
       $returnStatus-setReturnValue( new Foo ); // return type hint
       $returnStatus-success(); // return status
   }
   elseif ( isWasCritical() )
   {
       $returnStatus-setException( new RuntimeException );
       $returnStatus-exception(); // return status
   }
   else
   {
       $returnStatus-fail(); // return status
   }
 }

 Of course I don't write all functions like this.
 This is pattern I use when I need to ensure that the type returned is valid.

I just return what I need to from the function/method or throw an
exception. Indicating that you want to throw an exception instead of
actually throwing one seems ... overly polite, at best. As far as I
can tell, you'd have to check the ReturnStatus object anyway, so I
don't see how you're any safer (PHP has functions for checking null
values, false values, try/catch blocks and other things too). But
maybe we're dealing with very different development environments and I
just cannot see the usefulness of the suggested as it wouldn't make a
positive difference in mine.

Just a perspective from a typical webdev.
Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] How deep is copy on write?

2011-01-19 Thread Peter Lind

On 19 January 2011 20:05, la...@garfieldtech.com la...@garfieldtech.com wrote:
 So it sounds like the general answer is that if you pass a complex array to
 a function by value and mess with it, data is duplicated for every item you
 modify and its direct ancestors up to the root variable but not for the rest
 of the tree.

 For objects, because of their pass by handle-type behavior you are
 (usually) modifying the same data directly so there's no duplication.

 Does that sound correct?

 Related: What is the overhead of a ZVal?  I'm assuming it's a fixed number
 of bytes.


http://lmgtfy.com/?q=php+zvall=1

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] new foo()-bar()

2010-11-26 Thread Peter Lind

On 26 November 2010 20:36, Felipe Pena felipe...@gmail.com wrote:
 Hi all,
 I'm here again to presents another proposal, which adds support for
 instantiating a class and calling its methods and accessing its properties
 on same command.

 Example:

 ?php

 class bar {
  public $x = 'PHP';
 }

 class foo extends bar {
  public function bar() {
    return $this;
  }
 }

 var_dump(new foo()-bar()-x); // string(3) PHP

 ?

 Other examples which describes the feature at
 http://wiki.php.net/rfc/instance-method-call

 Thoughts?

It seems fairly handy and I've been in situations where I wanted to do
something like that - in fact, I use factories to achieve something
similar.
 However, the more I use it, the more it feels like introducing code
smells into my code. You're essentially instantiating an object only
to immediately throw it away. That means you don't actually need the
object at all, you should probably be looking for static methods or
class properties. Trying to avoid statics by introducing a way to
instantiate and throw away objects in the same statement feels a lot
like reinventing OOP while adding overhead.

Anyway, just a personal observation. I generally favour the way that
PHP allows you to dig your own grave (i.e. I love the freedom of the
language), so as a developer I would probably favour this as well,
though I find it mainly a way to introduce hacks.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] new foo()-bar()

2010-11-26 Thread Peter Lind

On 26 November 2010 21:37, Ferenc Kovacs i...@tyrael.hu wrote:


 On Fri, Nov 26, 2010 at 9:25 PM, Peter Lind peter.e.l...@gmail.com wrote:

 On 26 November 2010 20:36, Felipe Pena felipe...@gmail.com wrote:
  Hi all,
  I'm here again to presents another proposal, which adds support for
  instantiating a class and calling its methods and accessing its
  properties
  on same command.
 
  Example:
 
  ?php
 
  class bar {
   public $x = 'PHP';
  }
 
  class foo extends bar {
   public function bar() {
     return $this;
   }
  }
 
  var_dump(new foo()-bar()-x); // string(3) PHP
 
  ?
 
  Other examples which describes the feature at
  http://wiki.php.net/rfc/instance-method-call
 
  Thoughts?

 It seems fairly handy and I've been in situations where I wanted to do
 something like that - in fact, I use factories to achieve something
 similar.
  However, the more I use it, the more it feels like introducing code
 smells into my code. You're essentially instantiating an object only
 to immediately throw it away. That means you don't actually need the
 object at all, you should probably be looking for static methods or
 class properties. Trying to avoid statics by introducing a way to
 instantiate and throw away objects in the same statement feels a lot
 like reinventing OOP while adding overhead.

 Anyway, just a personal observation. I generally favour the way that
 PHP allows you to dig your own grave (i.e. I love the freedom of the
 language), so as a developer I would probably favour this as well,
 though I find it mainly a way to introduce hacks.


 1, I have to use a non-trivial library or module for a simple task, and I
 don't want to write 20 line of code, and introduce 4 helper variable.

If it's a one-off, then I really don't see the problem. If you're
facing it again, write a facade.

 2. I want to get from point 1 to point 5 but I'm not interested in the steps
 in-between (classical method chaining), but sadly one of the steps requires
 object instantiation.

If it's your code, then why are you not simplifying it? What's the
point of writing code that you have to go through in five steps? Why
not write a wrapper method?
 The reasons presented sounds quite like I want to be able write
hacks easier rather than I want to fix an actual problem. I.e.
there are solutions for this already that use OOP principles.

That said, this fix may very well address other situations :)

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] new foo()-bar()

2010-11-26 Thread Peter Lind

On Friday, November 26, 2010, Gustavo Lopes glo...@nebm.ist.utl.pt wrote:
 On Fri, 26 Nov 2010 20:25:32 -, Peter Lind peter.e.l...@gmail.com wrote:


 It seems fairly handy and I've been in situations where I wanted to do
 something like that - in fact, I use factories to achieve something
 similar.
  However, the more I use it, the more it feels like introducing code
 smells into my code. You're essentially instantiating an object only
 to immediately throw it away.


 Not necessarily; you could be calling the method for the collateral effects 
 and that method return the object itself. This is not that uncommon.


And I can do that today with a factory pattern, if I want to.
Anyway, I don't want to argue against the feature, as it will just
introduce a slightly shorter version of something we can already do.

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] new foo()-bar()

2010-11-26 Thread Peter Lind

On Friday, November 26, 2010, Gustavo Lopes glo...@nebm.ist.utl.pt wrote:
 On Fri, 26 Nov 2010 20:25:32 -, Peter Lind peter.e.l...@gmail.com wrote:


 It seems fairly handy and I've been in situations where I wanted to do
 something like that - in fact, I use factories to achieve something
 similar.
  However, the more I use it, the more it feels like introducing code
 smells into my code. You're essentially instantiating an object only
 to immediately throw it away.


 Not necessarily; you could be calling the method for the collateral effects 
 and that method return the object itself. This is not that uncommon.


And I can do that today with a factory pattern, if I want to.
Anyway, I don't want to argue against the feature, as it will just
introduce a slightly shorter version of something we can already do.

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Feasibility of additional support around constants.

2010-11-08 Thread Peter Lind

*snip*

Seems to me that some of this could be handled with a custom built
function wrapping
http://dk2.php.net/manual/en/function.get-defined-constants.php

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] rename T_PAAMAYIM_NEKUDOTAYIM to T_DOUBLE_COLON

2010-10-30 Thread Peter Lind

Den 2010 10 30 03:51 skrev Chad Emrys ad...@codeangel.org:

* snip *

 What is in a name anyway?

There's something VERY ironic about a statement like that given what you're
asking for ...

Regards
Peter

Re: [PHP-DEV] rename T_PAAMAYIM_NEKUDOTAYIM to T_DOUBLE_COLON

2010-10-30 Thread Peter Lind

On 30 October 2010 09:09, Mike Van Riel mike.vanr...@naenius.com wrote:

* snip *

 (additionally I wonder why people ask such a simple question on IRC whilst
 googling provides your answer faster..)

Most of the people coming to ##php on freenode asking questions like
that have a hard time learning (on their own or at all) - they expect
to be spoonfed. Changing the token name might lower the frequency of
this particular question, but it would have no overall effect on the
number of people coming to ask questions they could get answered in
two seconds by google.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] rename T_PAAMAYIM_NEKUDOTAYIM to T_DOUBLE_COLON

2010-10-30 Thread Peter Lind

On 30 October 2010 09:34, Chad Emrys ad...@codeangel.org wrote:
 On 10/30/2010 02:16 AM, Peter Lind wrote:

 On 30 October 2010 09:09, Mike Van Rielmike.vanr...@naenius.com  wrote:

 * snip *



 (additionally I wonder why people ask such a simple question on IRC
 whilst
 googling provides your answer faster..)


 Most of the people coming to ##php on freenode asking questions like
 that have a hard time learning (on their own or at all) - they expect
 to be spoonfed. Changing the token name might lower the frequency of
 this particular question, but it would have no overall effect on the
 number of people coming to ask questions they could get answered in
 two seconds by google.

 Regards
 Peter



 It's the same argument everyone else is giving,  and really it all comes
 down to this.:

 Nostalgia is valued over clarity and consistency.

 Do you guys REALLY want to claim that?


I wasn't arguing for or against a switch, just providing some
background. That said, people with no google skills bugging you on irc
is a very poor excuse for change. As for the rest of the discussion,
both sides seem to have merit, in my opinion.

Regards
Peter


-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] rename T_PAAMAYIM_NEKUDOTAYIM to T_DOUBLE_COLON

2010-10-30 Thread Peter Lind

On 30 October 2010 19:18, Chad Emrys ad...@codeangel.org wrote:
 On 10/30/2010 11:58 AM, Daniel P. Brown wrote:

 On Sat, Oct 30, 2010 at 12:47, Chad Emrysad...@codeangel.org  wrote:


 It's not that I'm that sure of myself, it's that I believe that my
 opinion
 has merit, and I keep seeing the exact same argument over and over again
 that I believe is not a very good argument (They can just google it
 thing).
  Some other people have provided other arguments as well and those are
 more
 valued. (Though I don't think they are strong enough reasons yet NOT to
 do
 it).


     It does have merit --- to you, and perhaps a few others.
 Hopefully without sounding like I'm ridiculing you (it's not my
 intent), have you seriously considered this at all, and are you
 realizing that it's just not going to happen at this time?  I mean, if
 you submitted a request or implementation proposal for an INI-based
 option to switch between token strings and expanded help messages,
 that would likely receive more serious attention than the dismissive
 responses and formed opinions of your own insight as based upon this
 discussion.



 Forking won't fix this particular problem.


     Well, if your statement about how no one here who disagrees with
 you does enough support (which is, quite frankly, an asinine
 assessment), then an equal rebuttal will be that you do not know
 enough about the inner workings of the software you claim to support,
 nor the culture of the group who maintains it.

     You're taking a minor annoyance and trying to convince the masses
 - and indeed the powers that be - that it is tantamount to Y2K38.
 Again, I'm really not trying to insult you or your original opinion
 here, Chad, but the continued arguments are almost coming off as silly
 now.



 If you haven't noticed, I am a bit stubborn, yes it's a problem.  When I
 submitted this proposal, I have to at least try to plant a bug in their
 brain that perhaps, they are being to hasty on dismissing this argument.
  True, I do not know a lot about this particular culture that maintains PHP.
  I just know the bigger culture of those who use PHP, and some of them are
 quite annoyed by the dismissive nature of the maintainers who are quite at
 odds to what the majority of the community want or needs.  And I am sort of
 glad to annoy those who are overly dismissive, and hopefully ploy the one's
 who are on the fence.

 No one said I was good at politics.  But the fact one has to play the
 politics game here to get anything worth while doesn't really phase me.

 Now I am starting to find this argument straying from the point.  I don't
 believe attacking me personally or me attacking the nature of this mailing
 list really has to do with the subject line.


Why not throw your weight behind http://wiki.php.net/rfc/lemon ? Seems
to me that might get a lot more traction.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] rename T_PAAMAYIM_NEKUDOTAYIM to T_DOUBLE_COLON

2010-10-30 Thread Peter Lind

On 30 October 2010 22:13, Chad Emrys ad...@codeangel.org wrote:

*snip*


 I actually know Etienne, he does spend some of his time fighting the good
 fight of supporting PHP :p.  Anyway he has said the lemon parser project is
 going kind of slow as it is proving to be more difficult because some of the
 weirdness in PHP. (Don't ask me what that means.) Maybe more help should be
 put into that effort?

That was my point: perhaps that would be a less futile fight than
trying to persuade people that t_paamayim_nekudotayim should be
renamed.

Regards
Peter

-- 
hype
WWW: plphp.dk / plind.dk
LinkedIn: plind
BeWelcome/Couchsurfing: Fake51
Twitter: kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] [RFC] Array Dereferencing

2010-06-08 Thread Peter Lind

On 8 June 2010 17:28, Brian Moon br...@moonspot.net wrote:
 The operator that really determines this is 'new' - which is already
 documented. So there isn't any ambiguity. Not to say that documenting
 the other operators would be bad, just saying there's no ambiguity
 here :)
  Also, allowing new (blah()); would be a fairly big BC break I'd say.

 How? Maybe you don't understand what BC break means. Currently, new (
 produces a parse error. So, no old code would ever be broken. That is what a
 BC break is. A change to the system that breaks old code. New code very
 often does not run on older versions of the parser.

I do understand what BC break means - I was probably just too quick on
that one. I figured that allowing 'new (blahblah())' would introduce
ambiguity for handling parentheses in general with regards to 'new',
but I'm probably wrong.

Regards
Peter

-- 
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
BeWelcome/Couchsurfing: Fake51
Twitter: http://twitter.com/kafe15
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Type hinting

2010-05-23 Thread Peter Lind

On 23 May 2010 07:52, Larry Garfield la...@garfieldtech.com wrote:
 On Saturday 22 May 2010 11:43:50 pm Zeev Suraski wrote:
 At 01:01 23/05/2010, Hannes Magnusson wrote:
 On Sat, May 22, 2010 at 22:39, Lukas Kahwe Smith m...@pooteeweet.org
 wrote:
   On 22.05.2010, at 18:30, Josh Davis wrote:
   As you wrote, you worked on PHP's _type system_ which is dynamic,
   really cool, juggles strings with ints and what not. However, the
   topic here is the _type hinting system_. As far as I know, there's no
   weak type hinting; if a method signature hints for an array and is
   given an integer, it throws a catchable fatal error. Therefore, as a
   user, what I am familiar to is a strict _type hinting system_.
   Anything else would feel inconsistent to me.
 
 I agree. function foo(array $x) {} foo(123); doesn't cast int(123) to
 array(123) so introducing different meaning for scalar types feels
 very very wrong.

 You're ignoring one simple fact - in PHP, scalar types are
 interchangeable.  Unlike array-scalar which has always been a corner
 case and a sketchy one (and I said numerous times that had I rewrote
 the language now, array-scalar conversion would have probably
 resulted in an error) - string-number, number-string,
 string-boolean conversions are a cornerstone of the language.  If
 you don't like the fact that PHP's scalar types are interchangeable -
 you're in the wrong language!

 In terms of consistency, the difference between array type hinting
 and scalar type hinting you allude to is negligible in comparison to
 the inconsistency with, well, just about every other part of the
 language - operators, control structures and built-in functions
 (expecting sqrt(64) to fail, since sqrt() expects a
 number?  expecting if (7) to fail, since it expects a
 boolean?).  Auto-converting type hinting extends the same semantics
 available to internal functions (through zend_parse_parameters()) to
 userland functions.  That consistency is by far the most important IMHO.

 Zeev

 I have to largely agree with Zeev here.  I'm not an internals developer but I
 do write a lot of widely used framework-ish open source PHP.

 The current OO type specifying system I have always mentally viewed, and most
 people I know seem to view it, as a check not for is this an X, but can I
 treat this as X without things exploding?  In the context of an object,
 exploding would mean a method not found fatal.  In the context of an
 array, it would be the dreaded parameter 1 to foreach() is not an array.
 The idea is two fold: One, better documentation (especially for code
 assistance IDEs), and two, if it's going to explode it should explode in a way
 that's useful in terms of where it exploded.  (Vis, the error message is on a
 useful line and tells me what the actual problem was.)

 For scalar types, exploding would mean loss of precision.  There is no loss
 of precision in converting 5 to int(5), so that doesn't explode, nor should
 it.  There is similarly no loss of precision converting from int(5) to
 float(5), so that also shouldn't explode.  123abc does have a loss of
 precision (data would get lost in the conversion) so that should fail both int
 and float checks.

 If anything, I'd be even more forgiving than the table in Zeev and Lukas' RFP.
 float(12) converting to an int doesn't have any precision loss so I don't 
 think
 that should fail.

 The RFP includes a variety of good reasons why a more naive strict check is
 inconsistent to the point of making it a bug rather than a feature.  One in
 particular I want to call out: Everything that comes back from a database does
 so as a string.  To wit:

 table users(user_id, name, pass, blah);

 $user_id = $pdo-query(SELECT user_id FROM users WHERE name='bob' AND
 pass='foo')-fetchColumn();


 doStuff($user_id);

 function doStuff(int $user_id) {
  // Whatever.
 }


 The above code will fail with the current implementation, even though we know
 for a fact that user_id is integer data because that column is an int in the
 database itself.  Requiring an extra blind (int) stuffed in there is 
 pointless,
 and if anything just trains people to blindly cast data without thinking about
 what it really is.  I can see that introducing more bugs than it avoids.

 --Larry Garfield


+1

Regards
Peter

-- 
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Obscure token name

2010-04-29 Thread Peter Lind

On 29 April 2010 15:42, mathieu.suen mathieu.s...@easyflirt.com wrote:
 Steven Van Poeck wrote:

 Folks, can't you just accept that T_PAAMAYIM_NEKUDOTAYIM is intended to
 make you smile?  There's nothing to see here, please move along.

 - Martin

 +1

 Don' t you read what I say?

I'd be surprised if they haven't read it. My guess: they just don't
care because it seems you're kicking up a fuss about very little -
i.e. you're whining because you had to google.

If only all problems were as small as that.

Regards
Peter

-- 
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] A critique of PHP 6

2010-04-21 Thread Peter Lind

On 21 April 2010 11:46, Adi Nita adi.n...@gmail.com wrote:
 I cannot agree with the idea of preferring
 working applications to good working applications.

Except that's not what's at stake. The application does not become one
bit better or worse by using an updated function that's more
consistent with other functions. The *language* is what might become
better or worse by the change, not any applications. The *side-effect*
however, is that you're forcing incredible amounts of developers to
fix code if they want to move it to a newer version of PHP. With the
risk of having tons of code break or just never migrated to newer
versions of PHP with all the problems which that creates.
 A better option would probably be to introduce functions that
essentially do exactly the same as the old ones but consistently with
the other functions. Then deprecate the old functions slowly - no
instant BC break and people can migrate to the new proper functions in
good time.

Regards
Peter

-- 
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51
/hype

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Assign array with __get

2010-03-19 Thread Peter Lind

Have you considered that perhaps you're trying to use the wrong
language for what you're doing? PHP does what it does now consistently
(in this regard) - what you're suggesting breaks that consistency. To
gain what, exactly?

On 19 March 2010 17:07, mathieu.suen mathieu.s...@easyflirt.com wrote:
 Right I could work around the issue with the return by reference without any
 problem.
 I am still thinking that if you try to write a meta-circular interpreter you
 gonna work very hard
 to make this subtleties worked. And according to Shriram Krishnamurthi in
 his textbook PLAI:

  a truly powerful language is one that makes it easy to write its
 meta-circular interpreter.

 -- Mathieu Suen



 Ionut G. Stan wrote:

 I guess what Mathieu is trying to say is that this:

    class Foo
    {
        public $bar = array();
    }

    $foo = new Foo;
    $foo-bar[3] = 1;

    var_dump($foo);




 ...is inconsistent with this:

    class Foo
    {
        public function __get($property)
        {
            if (! isset($this-$property)) {
                $this-$property = array();
            }

            return $this-$property;
        }
    }

    $foo = new Foo;
    $foo-bar[3] = 1;

    var_dump($foo);




 ...or even this:

    class Foo
    {
        private $bar = array();

        public function __get($property)
        {
            return $this-$property;
        }
    }

    $foo = new Foo;
    $foo-bar[3] = 1;

    var_dump($foo);


 Now, I'm not really sure this is that bad, as there may be use cases where
 one would like to return different values every time __get is called. And,
 as I wrote in a previous email, there are ways to work around this
 inconsistency by using return by reference, so everybody can be happy. I
 think.



 On 3/19/10 4:56 AM, Etienne Kneuss wrote:

 On Thu, Mar 18, 2010 at 5:47 PM, mathieu.suen
 mathieu.s...@easyflirt.com  wrote:

 Peter Lind wrote:

 On the contrary, it's quite obvious what's going on. In both examples
 __get() returns an array as PHP would normally do it (i.e. NOT by
 reference) which means that if you try to modify that you'll end up
 modifying nothing much. However, in your second example, the point at
 which you call __get() indirectly comes before the assign to the zork
 array - hence, the $this-zork['blah'] = 'blah'; no longer indirectly
 calls __get as object::$zork now exists.

  In other words, this is down to you confusing passing a variable by
 reference and passing it by value: PHP normally passes arrays by
 value, so when __get() returns an array, you're working on a copy of
 the array you returned. As someone noted earlier, you can easily
 change the behaviour of __get to return variables by reference, should
 you want to. However, I personally wouldn't want this to be default
 behaviour as that would make debugging apps much more annoying -
 things should be consistent, even if consistency at times confuse
 people.

 Regards
 Peter








 --
 PHP Internals - PHP Runtime Development Mailing List
 To unsubscribe, visit: http://www.php.net/unsub.php





-- 
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] Assign array with __get

2010-03-18 Thread Peter Lind

 I think there is a lot  to say why is not working but just look at those
 2 execution:

  1st
 class A
 {

        public function __get($name)
        {
                $this-$name = array();
                return $this-$name;
        }

        public function test()
        {
                $this-_zork;
                $this-_zork['bar'] = 67;
        }
 }

 $a = new A;
 $a-test();

 var_dump($a);
  2nd
 class A
 {

        public function __get($name)
        {
                $this-$name = array();
                return $this-$name;
        }

        public function test()
        {
                $this-_zork['bar'] = 67;
        }
 }

 $a = new A;
 $a-test();

 var_dump($a);
 


 Adding something that don't have side effect make the side effect
 work (more or less)
 You almost have to know how the VM is implemented in other to know what
 is going on.
 Nothing is obvious.


On the contrary, it's quite obvious what's going on. In both examples
__get() returns an array as PHP would normally do it (i.e. NOT by
reference) which means that if you try to modify that you'll end up
modifying nothing much. However, in your second example, the point at
which you call __get() indirectly comes before the assign to the zork
array - hence, the $this-zork['blah'] = 'blah'; no longer indirectly
calls __get as object::$zork now exists.

 In other words, this is down to you confusing passing a variable by
reference and passing it by value: PHP normally passes arrays by
value, so when __get() returns an array, you're working on a copy of
the array you returned. As someone noted earlier, you can easily
change the behaviour of __get to return variables by reference, should
you want to. However, I personally wouldn't want this to be default
behaviour as that would make debugging apps much more annoying -
things should be consistent, even if consistency at times confuse
people.

Regards
Peter

-- 
hype
WWW: http://plphp.dk / http://plind.dk
LinkedIn: http://www.linkedin.com/in/plind
Flickr: http://www.flickr.com/photos/fake51
BeWelcome: Fake51
Couchsurfing: Fake51
/hype

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

91 matches

Mail list logo