TL;DR the TL;DR - I wasn’t driving trollies.
TL;DR - I’m skeptical of ownCloud based on my longish career in software development and an influential article that matches my own experiences and which suggests that it is a red flag that ownCloud is implemented in PHP.
I use the terms security and correctness a lot. For clarity, here’s what I mean by “security”:
- keep private that which is private
- prevent unauthorized reading, writing, deleting of my content
And “correctness”:
- don’t corrupt my data
- handle conflicts in a sane manner
- more generally: the program should behave as the developers intended, e.g. avoid undefined behavior
Though I’m a coder, I don’t specialize in security, so technically speaking you should ignore everything I have to say on the matter. Fortunately, I’ve spent the majority of my career specializing in creating correct software; so I consider myself qualified to speak on that.
Not at all; I genuinely believe what I wrote.
You incorrectly assume I’m advocating a strongly typed language. Python, Ruby, or even Node.js (with similar type-coersion warts as PHP) would be better choices than PHP.
Yes, it is, at least in part.
In my original comment I acknowledges that it could be done in PHP. But all other things being equal (talent, process, code coverage) choose a better language.
I get where you’re coming from; I’ve been there. My career has included a few oscillations between strong-typing and strong-testing camps, equal parts coding in strongly-typed and weakly-typed/dynamically-typed languages, and the gamut of process wonkery (eXtreme Programming, SCRUM, Lean). For what it’s worth, were ownCloud implemented in, say, Python, but without unit tests, I’d be advocating similar skepticism.
My beef with PHP as it relates to implementing secure and correct cloud sync is that — compared to its contemporaries — PHP gets in the way more often than it helps.
My top gripes are that PHP:
- wasn’t designed by a language designer; it was cobbled together over time and it shows
- lacks a history or strong culture for modularity, automated unit testing, and code review
- does many things wrong by default
- exception handling arrived late and most code still uses error reporting, including core PHP
- has instead a design philosophy leading towards incorrect or undefined behavior when things go wrong
- has backwards compatibility to a fault
I have other issues with it, but those are the low points. All languages have warts; it’s just that PHP has a high concentration of them.
Again, I’ve repeated a lot of what was addressed in PHP: a fractal of bad design complemented by a rebuttal where the original author shows up in the comments.
As I write this the forum hosting the rebuttal (forums.devshed.com, running PHP) is returning this:
HTTP/1.1 200 OK
Date: Mon, 14 Apr 2014 06:35:54 GMT
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Content-Type: text/html
…
Connect Error: Too many connections
- should be
500 Server Errornot200 OK - body is plain text not HTML
- in another language, the default behavior of the web framework coupled with the language’s exception handling would have taken care of both
Update: now it’s returning this:
HTTP/1.1 200 OK
Date: Mon, 14 Apr 2014 08:56:54 GMT
…
Invalid query: Table './f_devshed/dbtech_dbseo_resolvedurl' is marked as crashed and last (automatic?) repair failed116
Because revealing your internal database schema to the world is secure…
[quote=“selfsimilar, post:162, topic:28218, full:true”][emphasis mine]
PHP may have been chosen for the simple fact that it’s still the most easily deployed web language available…that alone may have trumped any other consideration about speed, potential type safety, etc..
[/quote]
It’s a popular opinion that PHP “is still the most easily deployed web language.” But I share your supposition that it was a motivator in selecting PHP. The problem is that — in my mind — that “etc.” includes some unacceptable tradeoffs. I question the acumen of developers who would exchange security and correctness for ease of deployment by lay people particularly when it comes to cloud sync.
A side channel response thread to my comments here (I’m a newbie, so only two links per comment):
https://gist.github.com/toolbear/10714417#file-cj-md
