Thanks for the response
Posted Dec 28, 2006 3:51 UTC (Thu) by denials
In reply to: Author's credentials: not enough knowledge about PHP's development?
Parent article: The state of PHP security
Thanks for the response, Jake. I can understand that you feel defensive about my comments; I comment because I care about LWN. I suspect that this is just a misstep for you and LWN; but that being said, I'll try to explain why I'm so concerned about what I'm concerned about.
I agree that twenty years of software development can help you get up to speed quickly with a new language's syntax. Understanding a language's syntax, though, does not replace the kind of research that technology journalists do to understand their subject matter before they present their opinions to a trusting audience. In this case, the subject matter is "PHP security", and you've nailed some of the historical design decisions that led to vulnerabilities. However, it is my opinion that you failed to accurately represent the state of PHP security.
My main problem with your article was not that you used an interview from 2002, but that you paraphrased Rasmus's quote from that ancient (by the world of technology measures) interview in an article called The state of PHP security without mentioning that the quote was from 2002. One suspects that most readers would be led into thinking that this statement represents the current state of PHP security:
It is an extremely dubious feature, but one that PHP creator, Rasmus Lerdorf, seems to think should have been left on by default.
I agree that this was an interesting statement, but in the interests of fairness (particularly because you noted how "amazing" the statement was) you should have, at the very least, used the past tense and explicitly noted that the statement was from 2002.
And it would have been both appropriate (for on online publication called the Linux Weekly News) and interesting to find out if Rasmus's thoughts on the matter might have changed in the last four or five years -- perhaps even get him to revisit his 2002 quote in that interview. This would have been a reasonable and decent thing to do. As the author of an article that attributed a "mind-boggling" position to Rasmus, you should not have had to hear it from me that he has since changed his mind. It was your duty to your readers to find that out and tell it to them.
You suggested that what I wanted was a different article. Again, I will agree: I wanted a better article, one that fulfilled the promise of the title by reflecting the state of PHP security. To do that, I suggest that you have to consider:
- where PHP security was (well done)
- where PHP security is (not so well done; I think everyone would agree that the proliferation of bad tutorials and poorly written applications that unfortunately have "php" in their name is a tough nut to crack, but you failed to mention the addition of the ext/filter module in 5.2.0 that has the potential to either significantly improve the security of PHP applications or become another misadventure in trying to automate security; actually, come to think of it, you missed all of the security changes in the 5.2.0 release notes from back on November 2nd, including disabling (by default) URLs in include, although you can be forgiven for missing the ongoing taint mode discussion as that just cropped up on Dec. 15th)
- and where PHP security is going (not well done: nary a mention of the readily available PHP 6 plans)
I have no hackles to raise about attacks on PHP in particular. I have developed and maintained applications in C, Java, Perl, PHP, and Python, and have written articles and/or chapters of books about all of these languages, and have spoken at conferences about Perl, PHP, and Python. I'm not a one-trick PHP pony. Having a foot in all those worlds, I will admit that it gets tiresome watching PHP get slagged without substantiating claims simply because it's accepted practice in the unwritten hierarchy of programming languages, and your article did emit a whiff of that attitude. But I primarily care about fairness, balance, and the standards that LWN has set by example in the past. If I was forced to place this article on a journalist quality continuum between "slanderous fiction" on the one side and "shining model of balance and insight" on the other side, I would have to agree that I felt that this article fell more on the negative side of the continuum ("an attack on PHP" as you say) due to the failure to clearly state the date of Rasmus' statement, the failure to follow up with Rasmus or the PHP development team, and the general omission of significant developments in PHP security (whether by design or by lack of research).
I've been an LWN subscriber since 2003 because LWN has an excellent record of hitting the positive side of that journalistic quality continuum. As I said in a previous comment, I'm sure that the quality of this article was just a downward blip due to holiday schedule pressures.
to post comments)