[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Sun, 12 Jul 2009 18:49:16 +0100 Simon Waters <simon@xxxxxxxxxxxxxx> wrote: > kevin wrote: > > > > I have my small business accounting system written in php which I > > would love to give to the world but I feel it is not up to scratch > > standards wise ( needs css-ing and form validation etc..) > > If in doubt I'd try releasing it. You need a thick skin, but at worst > no one looks at it, at best someone else will do that for you, and > probably somewhere in between you learn how you should have written > it. > > Just be sure to remove anything sensitive... .... and anything insecure? $ find . -name '*.php'| xargs rm -f :-) Writing PHP is trivial. Writing secure PHP is very difficult. Packaging PHP in a secure way is just as difficult. Translation: using PHP means constant fixes, patches and updates. No PHP application is sufficiently secure at the first release and no PHP application will remain secure without continual attention (because the attacks keep on changing). Releasing a PHP application is 99% security fixes and 1% functionality improvements (most of which will cause the next flood of security flaws to be fixed in the next release). If a PHP application doesn't have security bugs, it doesn't have enough installations. ;-) > > and once released a > > "real" programmer could do just what the last line says "MS Embrace, > > Extend, and Extinguish" > > They can't extinguish it if it is GPL'ed. True conceptually and in strict terms of the licence. False in the real world of development, due to problems of bit rot. Choosing PHP only makes bit rot more noticeable than with other applications. The ideas can be preserved but if the upstream code is not continually updated, there will come a time when the cost of updating it will outweigh all the advantages of having access to the (outdated) source code. Keeping it up to date is a continual battle of fighting fires which can be very demotivating. Therefore, the GPL is only a real-world protection from extinguishing if the GPL-d code itself is kept up to date. Fixing security problems in abandoned PHP code is a truly thankless task. Remember: by choosing a web based interface, you may gain in development time compared to writing a new UI in Glade or Gtk+ but you lose massively post release because there are so many people intent on *not* using your application, just trying to break it to gain access to the system running your application. -- Neil Williams ============= http://www.data-freedom.org/ http://www.linux.codehelp.co.uk/ http://e-mail.is-not-s.ms/
Attachment:
pgp71cYbt2mpC.pgp
Description: PGP signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html