Recently I was pointed to a blog entry announcing the retirement of Stefan Esser from the PHP Security Response Team. Stefan, amongst other things, developed Suhosin, a PHP security tool. His retirement announcement was extremely disturbing and is worth reading.
The crux of it is this paragraph:
The reasons for [my retirement] are many, but the most important one is that I have realised that any attempt to improve the security of PHP from the inside is futile. The PHP Group will jump into your boat as soon you try to blame PHP’s security problems on the user but the moment you criticize the security of PHP itself you become persona non grata. I stopped counting the times I was called immoral traitor for disclosing security holes in PHP or for developing Suhosin.
Now I’ve done relatively little hacking of PHP and don’t expect to do this for a living, so why should I care about this? I hacked on one PHP app that horrified me because of how poor it’s security was, but this is not a reflection on PHP. However, as I was once griping about the fact that I don’t miss strong typing, one programmer pointed out that if we could get optional strong typing in Perl, we could gain tremendous performance wins for all Perl programs.
That’s why I was annoyed at the security holes I had to fix in the PHP app (SQL injection attacks), but not overly worried. If Stefan’s comments are accurate, then there are plenty of reasons for the PHP community to be concerned. You might not care about an individual program — you can usually just choose a different program which does the same thing — but if you’re talking about the entire programming language, that’s serious. The more people who are affected by what you do, the more disciplined and less-ego driven you need to be.
Of course, it’s possible that Stefan is just a crank — I wouldn’t know — but if any of the people involved are reading this, my apologies if I’ve offended anyone. I’m an outsider looking in and perspective is a difficult thing to acquire.