Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57621 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 40351 invoked from network); 2 Feb 2012 16:26:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 16:26:27 -0000 Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:52430] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6D/25-04454-039BA2F4 for ; Thu, 02 Feb 2012 11:26:25 -0500 Received: by yhfq11 with SMTP id q11so1298355yhf.29 for ; Thu, 02 Feb 2012 08:26:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Mm7oiTE2nYzsHYfji0N0n/P+7mfM3q5ExYWh0hOhoe0=; b=t9cZpL7g/bLjjWiK+XcGuVVGi5D7Csr80KjefdEZ6Hcs+cvrS99o3T+jPgbVKkE6qO cAheAPk3cYARThCKVZbArKF13Php6ExZZHbLAGROnbpbbUSwtuxD/ddrrl0gaNC5/XNN 5I0L4wVxOe8K6/1nCE5UMiOByL+76c3mt479I= MIME-Version: 1.0 Received: by 10.236.182.2 with SMTP id n2mr5526682yhm.11.1328199982516; Thu, 02 Feb 2012 08:26:22 -0800 (PST) Received: by 10.146.197.7 with HTTP; Thu, 2 Feb 2012 08:26:22 -0800 (PST) In-Reply-To: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> Date: Thu, 2 Feb 2012 17:26:22 +0100 Message-ID: To: Stefan Esser Cc: PHP internals Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: pierre.php@gmail.com (Pierre Joye) On Thu, Feb 2, 2012 at 5:10 PM, Stefan Esser wrote: > Hello Pierre, > >> For one, some were not not ported but features were implemented, with >> the support of their original authors. They are not related to >> Suhosin, like the Blowfish support, which I ported to php with the >> help of Solar Designer. Suhosin uses the same implementation. > > Sorry it makes no difference if a feature was introduced into PHP by taking code from Suhosin or from someone else. Fact is the feature existed before in Suhosin. I corrected your statement, in fact it makes no difference except that giving back to Caesar... > The thing is: I see no problem with the status quo - Suhosin exists and people can use it - it is like people can choose if they want ASLR, NX, Fortify Source on their system. I do see a problem and this problem is the reason why I do not think Suhosin is the right way. To me it creates more issues than it solves. I cannot count the amount of people I have met (or myself) having issues using Suhosin while not having them with a vanilla PHP. > I do not have the time or wish to convince the PHP developers to add some features that most probably after some time will be copied/clones/reimplemented anyway. But you have time to convince them and the distros to use the patch, there is something wrong here :) > The only problem I see is that some PHP developers negate the fact that Suhosin increases security of PHP (which was proven again and again for 8 years, why else clone features) and recommend people to stay away from it: This is malicious. You miss the point. And please, make yourself a favour, don't consider all PHP developers as being one single entity, it is not. The discussions you could have in the past and what other thinks today are two different things. In other words, move forward, stop to keep looking at the past. > And yes I like the Suhosin codebase separate, because if there is a bug I can smack the responsible person (myself) over the head bigtime. It is indeed easier for you to work with you alone. Now if I put that from our users base perspective, this argument is totally invalid. > If Suhosin merges with PHP a lot of patches will go into the code and the work to keep track with every commit that touches some Suhosin feature will explode. > Just look at security patches like this: > > http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997 > > Yes it is one of the features that is in Suhosin for a long time -> anyway that security fix is completely broken and noone cares about it. This is exactly where you should help php directly instead of doing what you do now to defend your patch. In the long run (or maybe even mid term), the Suhosin patch will disappear. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org