![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Gentoo: a general update
Mar. 11th, 2005 03:44 amHello and welcome to the real PlanetGentoo readers.
I've been crazily busy with schoolwork lately, as I've only 6 weeks left of my final semester of university.
A number of users have been bugging me to do various things for some packages (mysql-4.1*, openldap-2.2*, autofs-4*), but I'll state right now that I'm not going to be doing those on my own for the next six weeks.
I don't feel I can provide an acceptable level of support for major changes like that on my own, and still pass my courses. This does not apply to cases where the packages are supported by a reasonable size herd that can help with my temporary lack of time, or any case where I need a package update for my job.
Reading the new PlanetGentoo, I'd like to re-iterate what ferringb said about QA & the Therac-25 problem. A very good overview of this is presented in "The Science Of Debugging" (Telles, M.A. & Yuan, H. 2001), which also covers some other major incidents, and explores the reasons behind this. The only thing I don't agree with from the book is the title, as debugging has a lot more of a holistic need to it, and also requires some intuition (we have have the meta-gcc bug for all those hardware-caused failures).
On the PHP debate raging here in PlanetGentoo, I'm a strong supporter of what Stuart said. PHP is only a means to an end. If that end happens to be the average web development project, it's a very good means, as other most other tools are too complex, or not complex enough. I've been involved in some web development projects where a tool more suitable than PHP has need, and ended up using Apache Tomcat and Apache Axis together, without any troubles (other than a steeper learning curve). There is a vague possiblity I'm biased, as I'm an upstream developer with phpMyAdmin (current rank #8 on SourceForge).
I do agree that there is also some incredibly bad PHP out there. I've seen several servers (including one belonging to a Gentoo dev [who shall remain nameless here]) get hacked entirely through PHP. Only once was this via any published exploit (phpBB related), and the remainder of the occurances were spammers purposefully probing a PHP script, and then turning a box into a source of spam. The single most common problem is stupid code like include($var); where $var has not been checked in any way, and is untrusted user input - just pass it a URL of some PHP source, and watch the server run the code. This could be stopped to a limited degree if PHP got a proper taint mode (like perl), but I don't think it would really solve the source of the problem. (I know you can limit the sources of file loading, but several of my sites need to load external material, and it is quite possible to do so if designed and coded in a secure fashion.)
Seeing some developers with Amazon wishlist links, how many devs have actually got anything they wanted sent by some grateful user?
I've been crazily busy with schoolwork lately, as I've only 6 weeks left of my final semester of university.
A number of users have been bugging me to do various things for some packages (mysql-4.1*, openldap-2.2*, autofs-4*), but I'll state right now that I'm not going to be doing those on my own for the next six weeks.
I don't feel I can provide an acceptable level of support for major changes like that on my own, and still pass my courses. This does not apply to cases where the packages are supported by a reasonable size herd that can help with my temporary lack of time, or any case where I need a package update for my job.
Reading the new PlanetGentoo, I'd like to re-iterate what ferringb said about QA & the Therac-25 problem. A very good overview of this is presented in "The Science Of Debugging" (Telles, M.A. & Yuan, H. 2001), which also covers some other major incidents, and explores the reasons behind this. The only thing I don't agree with from the book is the title, as debugging has a lot more of a holistic need to it, and also requires some intuition (we have have the meta-gcc bug for all those hardware-caused failures).
On the PHP debate raging here in PlanetGentoo, I'm a strong supporter of what Stuart said. PHP is only a means to an end. If that end happens to be the average web development project, it's a very good means, as other most other tools are too complex, or not complex enough. I've been involved in some web development projects where a tool more suitable than PHP has need, and ended up using Apache Tomcat and Apache Axis together, without any troubles (other than a steeper learning curve). There is a vague possiblity I'm biased, as I'm an upstream developer with phpMyAdmin (current rank #8 on SourceForge).
I do agree that there is also some incredibly bad PHP out there. I've seen several servers (including one belonging to a Gentoo dev [who shall remain nameless here]) get hacked entirely through PHP. Only once was this via any published exploit (phpBB related), and the remainder of the occurances were spammers purposefully probing a PHP script, and then turning a box into a source of spam. The single most common problem is stupid code like include($var); where $var has not been checked in any way, and is untrusted user input - just pass it a URL of some PHP source, and watch the server run the code. This could be stopped to a limited degree if PHP got a proper taint mode (like perl), but I don't think it would really solve the source of the problem. (I know you can limit the sources of file loading, but several of my sites need to load external material, and it is quite possible to do so if designed and coded in a secure fashion.)
Seeing some developers with Amazon wishlist links, how many devs have actually got anything they wanted sent by some grateful user?