[pLog-svn] r6088 - plog/branches/lifetype-1.2/class/security

Jon Daley plogworld at jon.limedaley.com
Wed Jan 2 14:41:49 EST 2008 

On Wed, 2 Jan 2008, Andy wrote:
> I am mostly concerned with the major 2.x.x releases.  If a security hole
> were to be detected, and a major code change would have to be provisioned
> for the API - can you assure me that the references to object data
> requests would not be altered?
 	I am not sure what you mean when you say "references to object 
data requests".  I think most (all?) security fixes that have been added 
have been on the input validation side of things, prior to the data 
getting to the DAO layer.  But, if you are asking whether the object 
structure will change (as in if an object that is serialized with 2.0 can 
be unserialized with 2.0.1) I think that would be chancey, and it would be 
better to not save serialized copies of objects outside of LT between 
upgrades.
 	You shouldn't care about internal object data if you use the API 
methods, right?  I think I must be missing your point.

> My last concern is with new feature sets in which the current API I
> am using would not support, and additions would be made.  How would
> these new features be set at default, in a production system, with
> the new version, without disrupting the secure and effecient
> execution of the previous release, in addition to the above?
 	I am not quite sure what you are asking.  If there are new 
objects/functions that you don't call, they wouldn't affect anything, 
right?  The LT code generally provides default parameters where 
appropriate, and tries quite hard to never break anything during minor 
upgrades.
 	You shouldn't expect to be able to upgrade from 1.2.x to 2.0 
without any changes on your part.  I don't think anyone wants that to 
happen.  It is even worse in PHP that in say Microsoft world, since all of 
the functions have been parsed at run-time, and so as the code grows 
larger and larger, it not only gets confusing which function you want to 
use OpenFile, OpenFileEx, OpenFile2, etc. but also the whole application 
would run slower.  So, we need to prune out old functions some of the 
time.

> Could there be a separation of code features based on version releases,
> yet still be available in the new applications provided?
 	Can you explain more?

More information about the pLog-svn mailing list