[wp-trac] [WordPress Trac] #24251: Reconsider SVG inclusion to get_allowed_mime_types
WordPress Trac
noreply at wordpress.org
Sat Feb 27 21:41:21 UTC 2016
#24251: Reconsider SVG inclusion to get_allowed_mime_types
---------------------------+------------------------------
Reporter: JustinSainton | Owner:
Type: enhancement | Status: reopened
Priority: normal | Milestone: Awaiting Review
Component: Upload | Version:
Severity: normal | Resolution:
Keywords: early | Focuses:
---------------------------+------------------------------
Comment (by LewisCowles):
@DrewAPicture none of what I have said is hyperbole; it is all documented
facts, references to easy to find information with anyone using this TRAC
(which I have assumed they know how to use), and the wider internet.
PHP 5.2's last release was announced on January 6, 2011
http://nl1.php.net/archive/2011.php#id2011-01-06-1, that is over five
years ago! Scrolling up two entries on that link demonstrates the product
was EOL in 2011 as far as PHP were concerned. Any stack running that is so
old, it will likely also be vulnerable at the server level to a host of
vulnerabilities; many much more serious than a dodgy SVG file. The
language you use would suppose this is akin to pretending santa exists to
kids; but it's not, it's much more like pretending all strangers are nice
people a child should trust. Sadly times change; how you educate, and how
much you educate users need to change too.
As I'm much less interested in opinions than facts, and keen not to be
drawn into some cyclical nonsense about tone of conversation; please check
at PHP.net, pay attention to release dates and the change log from 5.2.8
(given by someone else in this thread), until the present 5.6.x version
(or 5.7.x version when that becomes available).
http://php.net/ChangeLog-5.php#5.2.9 . The technically minded will notice
many problems ranging from the annoying to unacceptable.
I would like to apologize to anyone who has found some of what I ave said
"insulting". Please be assured my interest in contributing to your project
with code is no-longer existent. My only contributions to any thread which
I am subscribed to now, is to ensure that it presents a technically
accurate account of decisions, which may well highlight problems with this
project, but should overall help to educate. I think there are only a few
threads, but feel free to ban me if you wish to enforce all users operate
sheerly on opinion and trust, rather than facts.
It is terrible to not be able to feel differently; it is terrible to have
to use these words; But to call misrepresented facts, or exaggerations,
and non-standard practices negligent is not an insult. What it does
represent is the opinion of a professional (not just one), who has worked
in software for over 13 years (me), based upon the current, and past code-
base of this project; some of it's own official announcements; based upon
some of the advice I see contributors, including your last post, giving to
an audience described in your own words as "a largely non-technical user
base, all of whom place their trust in the project leaders". It's
unacceptable, much more so than colourful use of language.
It's this very aspect that has me both concerned and professionally
shocked. It's this that you probably think is rude; but I have to say,
disagreeing with someone, or believing their work is negligent based upon
it's failed conformance to established industry practices is not rude or
insulting, unless untrue or misrepresented. There have been professional
talks at PHP community events for years encouraging people to use more
recent versions of PHP runtime software; it's a core competency in
operations and server-admin to ensure that updates and especially patches
are applied, and that software is upgraded when needed; and a post from
IRCMaxwell; a PHP core contributor including the same sentiment I am
expressing on PHP can be found here http://blog.ircmaxell.com/2014/12/on-
php-version-requirements.html.
I think it would be far more rude for me to congratulate, jeer, or promote
ignorance to my peers of what I understand to be widely understood best
practices, and whilst I do not expect them to understand much of the
technical expertise I posses; especially not those that are "largely non-
technical". To suggest that it's unreasonable to allow a file-type > 75%
of the internet can access without restriction, that the primary server OS
linux uses, that is present in many themes as a potential for representing
iconography is much more hyperbolic. (For this fact, I'm using the
WordPress official we are on 25% of the web figures, Fontawesome.io as an
icon-font example).
Worse still to suggest SVG, unlike other files deserves excessive scrutiny
(I'd suggest you take a look at MediaWiki & OWASP who both use and support
SVG on systems much more open than WordPress standard installs) is to
misrepresent the understood and monitored state of the market. It's like
the tobacco industry telling people that it's healthy to smoke their
brand, but not competitors, it's simply untrue.
Instead I would suggest that you are using the fact I am presenting
uncomfortable information to suggest I am insulting you or any other
specific person. I am not, and if anyone thinks I am, then again I
apologize to them. I would like to point out that I cannot do anything
about how they interpret a stream of facts and suggestions, all to benefit
a largely non-technical user-base to enhance their project, and re-iterate
that my comments are not to insult, deride, or mislead through hyperbole
or emotive language. I simply do not believe the responses received
against SVG in core since the initial comment; are of the same quality and
effort, or technical competence that the pro-SVG arguments demonstrate.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/24251#comment:58>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list