To be fair, almost all of the video tube scripts out there have the requirement that open_basedir be set to blank so it's not specific to vShare.

With regards to your question on which is baloney, technically both are baloney.

From the vShare perspective, yes, vShare can be installed with open_basedir being set. The issue, however, is that it must be set properly. By default, open_basedir does not allow execution or inclusion outside of the executor's home directory or includes directory. The problem, however, is that most installations of PHP do not run suPHP. This means that most, if not all, of your executed tasks run as the server user (usually the "apache" user). This means that while your local user account can access and run programs such as ffmpeg, mencoder, etc, the apache user, which is not a local logon account, usually can't as there is no apache home or includes directory. The simple solution is to turn it off (which is what most scripts out there recommend). The more complicated solution is to run suPHP and properly set the open_basedir to include the proper locations such that PHP can effectively utilize your scripts. I can tell you that on many hosts out there, the latter is never the case. It is usually the former.

From your hosting guys perspective, setting or not setting open_basedir in itself does not create a massive security problem. It does not allow for someone to remotely gain access to your server or anything like that. The security issue that comes with not setting open_basedir happens if someone, who already has access to the server, uploads code that is bad or badly written. The key here is that you have to already have access to the server to exploit the possible hole. If a hacker already has access to your server, then there is no need to exploit PHP at that point.

Now, to your hosting guys credit, by not setting open_basedir, a badly written script could be exploited to execute rogue code onto the server from remote. But the kicker here is that if you properly set open_basedir, that hole would still exist. The reason is because open_basedir does not limit what PHP can actually execute. Rather, it limits the locations to what can be included or called. This means that if you were allowing your /usr/bin directory so that you can execute ffmpeg or any other tool needed for vShare, for example, the same code could also execute curl (local curl), wget, sh, or any other executable located within that directory. This would pose the same security threat as not having open_basedir set at all.

To date, PHP security (or the lack thereof) really does not tie into having open_basedir set. In vShare 2.6, one of the requirements was to turn off safe_mode and register globals, which is just as insecure as not having open_basedir set. Real PHP security comes from server hardening... in which you run process checks within PHP (Suhosin comes to mind), having PHP's setting's properly set, hardening Apache (to prevent people from overriding PHP settings, which can be done today), and, ultimately, hardening your scripts (vShare is in no way hardened).