Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57615 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 18403 invoked from network); 2 Feb 2012 14:15:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 14:15:16 -0000 Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.162 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.162 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.162] ([81.169.146.162:47319] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 19/A1-04454-37A9A2F4 for ; Thu, 02 Feb 2012 09:15:16 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328192112; l=1271; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=e3CLAmPwF565iYs5O8wicZvjneE=; b=s/FjrNMzCSQ11ZASyj3w+ZvJlLflzlQuv8vidAZnxnPWk1WlPZ8NcjR23hczzExlNKB hUSK1nrkWC+7Lb7uIiPqjYQTf7h7JCB+2+3IirQo4SP9Fb7tYWRGu6Ko+rGDv3a3dhNk3 hcUZ8jEQHeNd+SdnuWXQ2/wXqdBkSxdlQeU= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (cohen mo20) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id z00259o12DkjVA ; Thu, 2 Feb 2012 15:14:56 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii In-Reply-To: Date: Thu, 2 Feb 2012 15:14:56 +0100 Cc: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= , 657698 <657698@bugs.debian.org>, Christoph Anton Mitterer , Douglas Calvert , Jesse Molina , Carlos Alberto Lopez Perez , PHP internals , Debian Developers , Debian PHP Maintainers Content-Transfer-Encoding: quoted-printable Message-ID: <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> To: Pierre Joye X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: stefan@nopiracy.de (Stefan Esser) Hello Pierre, > About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and > will have bugs. This is not really hot news. That does not affect this > discussion. I know that for many years you have not understood the idea behind = Suhosin, the concept of exploit mitigations. The only reason why Suhosin exists is because there will ALWAYS be bugs. = And because that is a fact you must have safe guards in case something = goes wrong. Suhosin/HPHP provides this safe guard for 8 years to the PHP community. Ideas like: I haven't seen much bugs lately so lets drop all the safe = guards is like not paying for your life insurance anymore, because you = haven't died too often recently. BTW: You should really really look into the history of PHP security and = check for each of the last 8 years how many features were in Suhosin and = later merged into PHP because of some nasty security problem. You will see that at least 2 features of Suhosin per year were merged = into PHP. And there are many many good reasons, why Suhosin must be external to = PHP. The most obvious one is that the code is clearly separated, so that not = someone of the hundred PHP commiters accidently breaks a safe guard. Regards, Stefan Esser=