Stefan Esser quits security@php.net

PHP
Yesterday, I had a heated debate with Stefan Esser, one of the most active people (if not the most active person) in the field of PHP security. I told him that I, as well as a lot of other contributors to the PHP project, are at odds with the way he's behaving; While at the same time appreciating the highly skilled job he's doing for PHP.

Unfortunately, Stefan decided to call it quits and from a blog post on his web site, it appears he'll now attempt to become even more aggressive, do his best to ignore the best interests of PHP by disclosing unpatched holes, and in general trying to expose as many security holes in PHP. That was not my intention when I truthfully told him what I (and many more) feel about the style of his involvement.

Since Stefan is obviously not listening to me, I think it may help if people who feel his behavior is inappropriate go to his blog and submit their thoughts, or send him emails. Do that in a responsible and appropriate language, though. Maybe if he sees it's not just me he'll reconsider.


This entry was posted by Zeev Suraski on Saturday, December 9. 2006 at 11:54. and is filed under PHP. The author does not allow comments to this entry

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Robert K says:
    #1 2006-12-10 01:44

    Unfortunately, it seems he has disabled comments. I suppose that he preemptively disabled them to imped the ability of others to change his mind due to his mindset that listening to others opinions is as he calls it futile. My primary hypothesis is his main reason for doing all of this is he feels overwhelmed without enough people working with him on the project to smash vulnerabilities. I think if enough people step up to the plate and are willing to work with him in squashing these bugs, he will start behaving civilly.

  2. Joseph Crawford says:
    #2 2006-12-10 20:17

    I am unaware of how Stefan was acting as I am not part of the internal team. However I dont see an issue with him releasing the security holes (so long as they are true) in a timely manner so that the public can be aware. I do however wish he would still release patches for them, or someone would.

    I would hate to see security holes lingering for too long.

  3. Allan Savolainen says:
    #3 2006-12-10 22:34

    I don't know how it is bad that someone is, even agressively, finding security holes in PHP? I think it is kinda sad to send mindless minions to his blog. If he cannot work with out, then he should be allowed to leave and continue working the way he wants. Perhaps someday we might even get a fork of PHP, one that is secure and has Register_Globals on as default...

  4. Ligaya Turmelle says:
    #4 2006-12-11 09:02

    just an FYI - he has turned off comments for that post to his blog.

  5. martin says:
    #5 2006-12-11 12:22

    what you apparently missed is the fact that stefan does not allow comments to the cited entry :-)

  6. enygma says:
    #6 2006-12-11 16:19

    Yeah, we would if we could but, in true Esser fashion, he's turned off the comments because he doesn't want to listen to anyone else's opinions - true or not.

    Nothing like empty accusations and threats to make one feel all warm and fuzzy inside. Ah well, these things too shall pass...


The author does not allow comments to this entry