[Freedombox-discuss] The Status of PHP

Sunil Mohan Adapa sunil at medhas.org
Fri Jan 4 19:53:49 GMT 2019

On 04/01/19 10:35 am, Danny Haidar wrote:
> Hi everyone,
> An important subject was discussed in the IRC channel today, and I want
> to bring it to the attention of the community.
> Over the course of a discussion about the long-standing desire to
> integrate Nextcloud into FreedomBox (and, as a precondition, into the
> Debian ecosystem), Jonas brought up a broader criticism of software
> written in PHP. Here it is in brief: software written in PHP cannot be
> reliably run without supervision. Since FreedomBox is designed to be a
> server system that requires no administration, PHP's occasional
> requirement of supervision conflicts with our goal of self-administration.
> I want to make sure that we don't ignore this point the next time we
> discuss packaging Nextcloud, WordPress, or any other software written in
> PHP. I know that we have plenty to discuss pertaining to the Buster
> freeze in the coming weeks, but we should add this concern to an
> upcoming call agenda.
> Jonas shared some helpful resources to explain the criticism:
> https://security.stackexchange.com/questions/643/why-do-people-say-that-php-is-inherently-insecure
> https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/

Some points I would like to add to the discussion:

We have recently moved away from apache2 module for PHP and started
using PHP-FPM a separate daemon for all current and future PHP
applications. This enables use to put additional jail restrictions on
PHP applications.

Also, well written software can avoid the security pitfalls of PHP. I
would say having a good security conscious team is more important than
the choice of language.

While PHP may not be our first choice for a language, there are some
well respected and popular software written in PHP with good teams
behind them.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/freedombox-discuss/attachments/20190104/09956e47/attachment.sig>

More information about the Freedombox-discuss mailing list