First, I’m going to point out that I do love symfony – I’m mostly happy with it, and I’m a active member of the community. I certainly appreciate the effort put in by Fabien and everyone else who’s worked on the symfony project – it’s a fantastic achievement. However, there’s a couple of things which really wind me up, and I’m concerned things aren’t going to change.
One thing that’s been pointed out several times in the past is that the symfony website is very unreliable. I personally found the hosting so unstable I setup a SVN mirror – and there’s been requests for an offical symfony mirror. This request however went unanswered. Does it matter if the symfony site goes down? Personally I think it matters, both for Sensio and for symfony. If Sensio can’t keep the symfony site itself running, doesn’t that set a bad image for the project? It also sets a really bad image for Sensio themselves – if they can’t maintain a site’s uptime – would you want to use them for consultancy for your own projects?
My other main concern is the way security is handled. Today I noticed that Ticket #1617 had been closed in SVN logs. This security issue has been open for a year! Also, I reported this issue over 2 years ago. There was no ‘official’ security advisory made about this – nor other issues that have occurred.
In my opinion, mentioning these security issues just in the revision log, or the blog is not enough. There should be mails to the dev/user list – and a security procedure in place to handle issues. In the past someone has come onto IRC and was concerned that a security issue they reported about bypassing validation using different HTTP verbs via email to Fabien personally was being ignored. I’m sure Fabien is a busy man, but the symfony website needs to have how these things are handled documented. I can’t remember the outcome of this issue, and google didn’t tell me much – maybe it was a non-issue, but if it wasn’t – no security advisory was released.
Other security issues have been discussed, such as the security of _dev.php files, and the default permissions. These issues haven’t really been addressed in my opinion – and both are what I would consider critical issues.
I accept that symfony is an open source project, and that we could fix these issues amongst the community – but I feel Sensio have an important role to place in this. Sensio understandably keep a very tight grip on the project, but in doing so they take on certain responsibilities. I would like to see more active discussion of security related issues on the dev list – with more involved responses from Sensio. I’d like to see an announce mailing list where security and release information is published. I’d like to see current security issues highlighted and made VERY clear on the main website.
I’d like a security reporting system documented and clearly linked from the ticketing system, so there’s a clear channel to report security concerns, knowing they will be dealt with.