[GTALUG] OwnCloud vs Nextcloud?

Blaise Alleyne email+libre at blaise.ca
Mon Jul 11 23:13:25 EDT 2016


On 11/07/16 02:14 PM, Lennart Sorensen via talk wrote:
> On Mon, Jul 11, 2016 at 11:44:58AM -0400, D. Hugh Redelmeier via talk wrote:
>> I don't use PHP so my opinion isn't reliable.
>> 
>> Historically it has been too hard to write secure code in PHP.  Or perhaps
>> it was the culture.  I know that things have gotten better over the years.
>> Culture is pretty resistant to change.
> 
> Actually I think the right way to word it is:
> 
> It is too easy to make it insecure in php.
> 
> It is perfectly possible to write secure php code.  It just happens to be
> stupidly easy to write insecure php.
> 

Yes, totally -- it's far too easy to write insecure code in PHP.


> [...] a lot of the problems are really just that people don't know what they
> are doing and it makes it very easy to make something that "works" even if it
> is also very insecure in non obvious ways.  You can do some of those 
> stupidities in other languages, but usually you actually have to try a bit
> harder to get bitten.  Trusting user input and using it directly is pretty
> much always a bad idea in any language.
> 

Absolutely.

Beyond that, PHP just makes it really easy to write code in general, and then
really easy to do stupid stuff when you're writing code. It's a bad combination
of democratizing web programming and bringing the masses in but also abandon
moral and technical standards and traditions in the process... you just get a
free for all where any schlub can hack together terribly insecure code...


Thing is, I don't think you can generalize from a particular culture of PHP devs
to say something about all PHP applications though. It's not like the
ownCloud/nextCloud community is a bunch of unsophisticated people using PHP to
cobble together some shoddy thing.

The ownCloud/nextCloud developer community rose out of the KDE developer
community (not like, Joomla! or something). Not that I've poured through the
source code, but ownCloud feels sophisticated -- they've got top-knotch
libraries employed, like SabreDAV, and support a ton of APIs and standards,
which would be tough for an unsophiticated bunch to pull off, plus a
fully-featured management CLI, which is another sign to me of a well-designed
application.

There are well-designed and sophisticated PHP-based applications, like SabreDAV,
like Symfony, like ownCloud/NextCloud. It's possible to write secure,
well-designed code in PHP, and some people choose PHP because of it's broad
accessibility for hosting, not because they don't know how to write secure code.

I'm not that old, but I've seen and worked with my fair share of terrifying PHP
applications... ownCloud/NextCloud isn't one of them. *shrugs*

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://gtalug.org/pipermail/talk/attachments/20160711/85ca10cc/attachment.sig>


More information about the talk mailing list