I’m very pessimistic about software quality, as you might have gathered from my previous blog post. Especially when it comes to PHP software. I havn’t had any issues, just a bad feeling with lots of software.

It’s way too easy to write bad code in PHP. When you write bad code in C, it’s likely to just not work at all. So noone will use your software.

When you write bad code in PHP and make it generate a fancy webpage, everybody will rush to use it. I’ve seen really bad stuff, e.g. a Fancy looking webmail interface which had the bad habit of storing all passwords ever used in a MySQL table - but never removing them. I discovered that only when I was to migrate it to a new server. When I was about to dump the mySQL tables I almost had a heart attack. (Obviously, the web server needs to be able to read the password to access this mysql file, so any slight issue in any PHP script on that box would have allowed the retrieval of dozens of passwords!) Fortunately, only a few different users of that server have been using this webmail, while most used real email programs or the other, older webmail interface.

Then there are the recurring issues with SQL injection vulnerabilities in PHP scripts, authentication bypasses (script.php?authenticated=1) and issues when executing imagemagick.

I was the maintainer of libming for quite some time, but the code of it was pretty much unmaintainable. Every now and then, extensions would be broken. Development was mostly stalled, and I bet the code was never audited. That was when I decided to orphan and have it removed 3 years ago or so. Since then I get like 1 mail every three months asking if I have updated packages somewhere. Granted, ming development has been picked up by others in the meantime. Still I have doubts that anything except the PHP module is working…

On the long run, we would need to audit lots of code in Debian. Right now, we are relying on upstream, commercial linux distributions and external companies to do that. But look closely: Novell released SuSE to become “openSuSE”, RedHat has split of Fedora. They are not going to provide much additional security audits.

Maybe we should add a Debtags tag named “quality::audited-by-independent-party”.

Hmm… and maybe I should stop toying with Python. It probably is as easy to write bad Python code as it is for bad PHP code… (except that PHP code usually is unreadable, because it’s badly intermixed with HTML fragments)

And I also know lots of python code I have a rather bad opinion of… (e.g. mailman, or offlinesync, which has unhandled (!) exceptions when I have accessed my email on the server with mutt, reported a year ago)

[Update: Steve Kemp sent me an email, that he agrees with my view, and points me to the Debian Security Audit project, which could use a lot of help.]