Nigel McNie

Since I gave control of the GeSHi project to Benny Baumann, he hasn't been slacking around. Between him and Milian Wolff, they've fixed a ton of bugs, and Milian in particular has spent a lot of time optimising the highlighting algorithm. He's managed to make a 50% performance gain, using some graphing skills and custom tools to find bottlenecks. I think his experiences in optimising GeSHi would make a great article for PHP developers to read. While the rest of us argue whether regular expressions are faster or slower, he's actually got ways to demonstrate whether they are, and what's more there's actually tangible results to show for it.

Milian, write that article! :D

Meanwhile, as I mentioned before, Benny hasn't been slacking - he's fixed a bunch of bugs that I previously wrote off as too hard/not worth fixing in the 1.0.X series. The changelog for 1.0.8 is huge (it's not yet released). My congratulations go to both of them for their efforts.

And now Benny has fixed the RSS feed, I can follow the news more closely :D.

Like this post? Subscribe to my RSS feed and follow me on twitter to hear about new posts early.

Want to share this post? Tweet

I've handed over the GeSHi project to Benny Baumann. I haven't done anything to it for a long time now, which was only holding it back. It's clear that with about 100 downloads a day, there is still huge demand for it, so hopefully Benny can revive the project, and maybe even get that experimental parser into a release :).

GeSHi was the first project I worked on while learning PHP, and as such while it's not coded well it did get me into open source, and for that I am extremely grateful. It even won me an award from phpclasses. But now it's time for someone else to carry the torch.

Like this post? Subscribe to my RSS feed and follow me on twitter to hear about new posts early.

Want to share this post? Tweet

Ben alerted me to this comment on Slashdot that mentions GeSHi. The article is about vulnerability numerology in software, and the comment slams Secunia for several dodgy practices - like trawling old changelogs and bug reports in order to find more vulnerabilities to report.

The comment is absolutely correct. In the particular example given, after consultation with the good crew of WikkaWiki, I put a workaround in GeSHi to fix a security vulnerability in the htmlspecialchars function of PHP - and nearly got a security advisory filed against GeSHi itself! To quote:

> we noticed the following entry in the changelog for GeSHi 1.0.7.18 and
> are about to issue an advisory based on this information.
>
> "Committed security fix for htmlspecialchars vulnerability. Also makes
> supporting multiple languages a lot easier"
> http://sourceforge.net/project/shownotes.php?release_id=489035
>
> To serve our mutual customers best we would appreciate to receive your
> comments on this issue before we publish our advisory.

As you can see from the quote, they were going to publish a vulnerability report if they did not hear from me. Well they heard alright - I sent them back an angry e-mail to the effect that they were useless retards, and the report was never published. It's very annoying to see that if they had not have heard from me, they were going to publish anyway. They're acting as judge, jury and executioner when they have no right to.

I've also encountered the "bottom-fishing" as well, with Mahara. A fix for security being too tight on something resulted in an automated e-mail asking for more details so they could file a report.

I want to echo the sentiments of the comment here. If you run an OSS project and you receive e-mail from Secunia asking about security problems that are not your fault, complain! They do seem to at least not contest your protests or publish a vulnerability report if you do, which just goes to show they're in it for volume, not quality. If the problem is a real one you could put them straight so they can file an accurate report, but why not try experiment and tell them it's rubbish anyway. They don't deserve to have a report if they can't be bothered analysing the problem for themselves.

I think you'll agree, if their default behaviour was to do nothing if they didn't receive a reply, they wouldn't be doing it. They wouldn't get any vulnerability reports this way.

One final note. In this post I am only criticising the attitudes and methods of Secunia. I am not saying anything about good or bad security practice, other than that Secunia are performing irresponsible disclosure.

Like this post? Subscribe to my RSS feed and follow me on twitter to hear about new posts early.

Want to share this post? Tweet