[ale] Well, this does nothing for the reputation of Linux

Michael B. Trausch mbt at naunetcorp.com
Mon Jul 22 10:09:23 EDT 2013


On 07/22/2013 09:57 AM, Andy Borgmann wrote:
> Facebook hasn't had any hacks that I am aware of.  I know they release
> a lot of information via Graph and other areas, which leads many of us
> to feel uncomfortable with there security practices.  But it seems all
> the information that is released, is released by design.  And I don't
> see how just because they run PHP through HipHop (which they created)
> to run there code through C and C++ for /performance reasons/ makes it
> anymore secure than standard PHP?

Relevant quote, with emphasis added:

> Facebook does not run the official PHP, _*they run a subset of it*_
> that is then compiled, if memory serves, to C++ and then compiled to
> system code.

Last I checked, there were two major categories of things they left out;
first one being things that were too difficult to implement (but I think
they got those later), and the second, they removed functionality that
serves little purpose other than to install security flaws in code. 
There is some overlap between the two categories, but remember that HH
is a subset of PHP (and in some cases, even a superset---static type
checking, รก la Python, significantly reduces security flaws due to
silent coercion, for example).

But, don't mind me.  I've only been programming in several languages for
a little over two decades and writing production applications for the
last decade.  I've used C, C#, Java, Python and PHP enough to be able to
give a fair amount of comparison between them (with my C++ being out of
date as I haven't seriously used it in about five years).  And I know
more languages than that, albeit not at the level of what I would call
"native fluency" yet.

PHP is making some improvements, but they have a long way to go before
they are secure by default.  And even further to go before they have an
audience that is secure by default, which is an intractable problem.

In short, PHP applications can be made provably secure by tailoring the
language to the audience it has.  Those who can program PHP properly are
probably also pretty good C programmers, or would be if they aren't already.

    --- Mike

-- 
Naunet Corporation Logo 	Michael B. Trausch

President, *Naunet Corporation*
? (678) 287-0693 x130 or (888) 494-5810 x130

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/9dc37d65/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hdfjbdbj.png
Type: image/png
Size: 1701 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/9dc37d65/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/9dc37d65/attachment.sig>


More information about the Ale mailing list