Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57621
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40351 invoked from network); 2 Feb 2012 16:26:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2012 16:26:27 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com  
Received: from [209.85.213.42] ([209.85.213.42:52430] helo=mail-yw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6D/25-04454-039BA2F4 for <internals@lists.php.net>; Thu, 02 Feb 2012 11:26:25 -0500
Received: by yhfq11 with SMTP id q11so1298355yhf.29
        for <internals@lists.php.net>; Thu, 02 Feb 2012 08:26:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=Mm7oiTE2nYzsHYfji0N0n/P+7mfM3q5ExYWh0hOhoe0=;
        b=t9cZpL7g/bLjjWiK+XcGuVVGi5D7Csr80KjefdEZ6Hcs+cvrS99o3T+jPgbVKkE6qO
         cAheAPk3cYARThCKVZbArKF13Php6ExZZHbLAGROnbpbbUSwtuxD/ddrrl0gaNC5/XNN
         5I0L4wVxOe8K6/1nCE5UMiOByL+76c3mt479I=
MIME-Version: 1.0
Received: by 10.236.182.2 with SMTP id n2mr5526682yhm.11.1328199982516; Thu,
 02 Feb 2012 08:26:22 -0800 (PST)
Received: by 10.146.197.7 with HTTP; Thu, 2 Feb 2012 08:26:22 -0800 (PST)
In-Reply-To: <A53679E3-53ED-423C-AC4C-E9C4A8631C20@nopiracy.de>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com>
	<5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de>
	<CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com>
	<46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de>
	<CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com>
	<A53679E3-53ED-423C-AC4C-E9C4A8631C20@nopiracy.de>
Date: Thu, 2 Feb 2012 17:26:22 +0100
Message-ID: <CAEZPtU4-zP0eyTX=eZiJXP-RBE_mNY4X_w-YvGmC+frZ2q=Wqw@mail.gmail.com>
To: Stefan Esser <stefan@nopiracy.de>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: pierre.php@gmail.com (Pierre Joye)

On Thu, Feb 2, 2012 at 5:10 PM, Stefan Esser <stefan@nopiracy.de> wrote:
> Hello Pierre,
>
>> For one, some were not not ported but features were implemented, with
>> the support of their original authors. They are not related to
>> Suhosin, like the Blowfish support, which I ported to php with the
>> help of Solar Designer. Suhosin uses the same implementation.
>
> Sorry it makes no difference if a feature was introduced into PHP by taking code from Suhosin or from someone else. Fact is the feature existed before in Suhosin.

I corrected your statement, in fact it makes no difference except that
giving back to Caesar...

> The thing is: I see no problem with the status quo - Suhosin exists and people can use it - it is like people can choose if they want ASLR, NX, Fortify Source on their system.

I do see a problem and this problem is the reason why I do not think
Suhosin is the right way. To me it creates more issues than it solves.
I cannot count the amount of people I have met (or myself) having
issues using Suhosin while not having them with a vanilla PHP.

> I do not have the time or wish to convince the PHP developers to add some features that most probably after some time will be copied/clones/reimplemented anyway.

But you have time to convince them and the distros to use the patch,
there is something wrong here :)

> The only problem I see is that some PHP developers negate the fact that Suhosin increases security of PHP (which was proven again and again for 8 years, why else clone features) and recommend people to stay away from it: This is malicious.

You miss the point. And please, make yourself a favour, don't consider
all PHP developers as being one single entity, it is not. The
discussions you could have in the past and what other thinks today are
two different things. In other words, move forward, stop to keep
looking at the past.

> And yes I like the Suhosin codebase separate, because if there is a bug I can smack the responsible person (myself) over the head bigtime.

It is indeed easier for you to work with you alone. Now if I put that
from our users base perspective, this argument is totally invalid.

> If Suhosin merges with PHP a lot of patches will go into the code and the work to keep track with every commit that touches some Suhosin feature will explode.

> Just look at security patches like this:
>
> http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997
>
> Yes it is one of the features that is in Suhosin for a long time -> anyway that security fix is completely broken and noone cares about it.

This is exactly where you should help php directly instead of doing
what you do now to defend your patch. In the long run (or maybe even
mid term), the Suhosin patch will disappear.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org