Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57613 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 12350 invoked from network); 2 Feb 2012 13:38:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 13:38:51 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.170 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.213.170 mail-yx0-f170.google.com Received: from [209.85.213.170] ([209.85.213.170:32795] helo=mail-yx0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/E0-04454-9E19A2F4 for ; Thu, 02 Feb 2012 08:38:50 -0500 Received: by yenm5 with SMTP id m5so1167660yen.29 for ; Thu, 02 Feb 2012 05:38:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=MPCxN+60vDKFewiedW0p293Y/G/y+8X8/9thMwj70eg=; b=UcYNdWllDcPklG+w8lqoaphbTq7k4QoUFdERNo2jWfxjFijLJhbhXMeZDi3ZMOB/AK hHfXAd3PaHKIFKng4QrnsTAty9BnWJMq/4a0+A1oKdwpwOeFztYnKlsvuxoYg6UfwzYj EcAF3mc0zq90CVutNrgWLnDKsNWpGx4hEDbZk= MIME-Version: 1.0 Received: by 10.236.75.198 with SMTP id z46mr4170457yhd.45.1328189927117; Thu, 02 Feb 2012 05:38:47 -0800 (PST) Received: by 10.146.197.7 with HTTP; Thu, 2 Feb 2012 05:38:47 -0800 (PST) In-Reply-To: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> Date: Thu, 2 Feb 2012 14:38:47 +0100 Message-ID: To: Stefan Esser Cc: =?UTF-8?B?T25kxZllaiBTdXLDvQ==?= , 657698 <657698@bugs.debian.org>, Christoph Anton Mitterer , Douglas Calvert , Jesse Molina , Carlos Alberto Lopez Perez , PHP internals , Debian Developers , Debian PHP Maintainers Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: pierre.php@gmail.com (Pierre Joye) Hi Stefan, On Thu, Feb 2, 2012 at 2:31 PM, Stefan Esser wrote: > Hello Ond=C5=99ej, > >> My personal feeling is that most people see suhosin as "this is about >> security, thus it must be good". This combined with bad PHP security >> history makes everybody feel insecure when suhosin was removed, but >> the real question is if the suhosin is still really helping with PHP >> security or it is just a burden in the general installations now. > > considering the fact that you write this email the very same day that a r= emote code execution vulnerability in PHP is found that is easy to exploit = from remote and is greatly mitigated by the use of Suhosin you look pretty = stupid. (In case of usage of Suhosin-Extension in default config, it is eve= n completely killed). Another very important part of Ondrej's email was: "Please keep the discussion civil and on the technical level" And at this point, I may suggest you to keep such posts for yourself. About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and will have bugs. This is not really hot news. That does not affect this discussion. I, for one, like the idea to finally see distros droping Suhosin and focus on making PHP itself better and safer instead of distracting us and our users with custom patches or extensions. Cheers, --=20 Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org