I thought maybe Slashdot at +5 would start getting better now that everyone has migrated to digg.
“Actually, lots of people have abandoned PHP for Python and Ruby.”
(I guess this depends on your definition of the word “lots.”)
What’s the point in pointing out an exploit in the PHP core code but not giving the developers any time to address them? Especially when every PHP Application is sitting out there with practical user-space level vulnerabilities? More importantly, how can a Month of Bugs be good for PHP when a simple e-mail to Ilia would do far more good right now.
From some of the bugs he’s posted and reading his blog over the years, it’s obvious he’s a very talented security person. But it’s just as obvious he’s a thin-skinned abrasive person who is not someone you’d want to share a beer with. It’s starting to become a modus operandi: Start a good thing, provide some excellent and intelligent advice, then quit a couple months later, but not before you pisses on everyone else publicly, and then, laughably, pretend to act magnaminous in his “forgiveness”.
It’s a lot easier to tear shit down than to build it up. It’s a lot harder to keep things going than to abandon them. I wish for once, he’d take the hard(end) path.
But, (yet again) he decides to take his toys and go home. But before he does, he has to pump his product up by pushing down on everyone else. Promoting his shit on Slashdot, InfoWorld, SQL Server Magazine, ZDNet, CNET, etc. all of whom already have a big bone to pick with PHP.
How many times have people told me I’d get a lot more bees with honey? I really wish I could 302 them to Stefan Esser.
(Shit like this is classic. How old is Matt Mullenweig? I know Stefan has looked at the WordPress codebase and yet he always attributes to malice what can be attributed to incompetence? The kid made a big mistake and you caught him. At the end of the day, he’s a kid who learned something but you’re still a dick.)
PHP is a practical language, it’s full of shit that a lot of us would rather not see there. But nobody is going to break all its functionality just because someone snap his fingers and says so. Give a security solution that works in practice, wait some time for it to be tested and gather feedback from the hundreds of thousands of developers out there, speak in a reasonable tone of voice, and it will be adopted just as is evident in some of the MoPBs he’s shown.
We understand the reality that PHP is used in many places for many reasons in many ways. We understand that the language is not a playground. That’s because we’re grownups.
I’ve been spending all my spare time getting things at work to work on PHP5. Real codebases are not very easy to upgrade. Right now I’d just be happy if the thousands of lines of code I’ve touched passes QA. The whole transition may take months and it’ll just make it so we can start at the ground floor at looking at refactoring to address security issues.
That’s reality. It’s hard, difficult, and full of ugly compromises.
I honestly think Stefan needs to get some friends and not take everything so personally when it takes a couple days to respond to an e-mail because the recipient has a horrible hangover, or (the horror!) a life. You know, I don’t know why someone doesn’t respond fast enough to your taste—maybe he’s banging his new wife or something. Cut him some slack.
Coming from a person like me who works 80 hour weeks and often says very offensive shit (case in point: this post), that’s a pretty serious criticism I’m leveling.
Don’t believe me? Wait to see his response to this blog entry.