Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57628 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60280 invoked from network); 2 Feb 2012 17:59:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 17:59:13 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.153 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 67.192.241.153 smtp153.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.153] ([67.192.241.153:53584] helo=smtp153.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 76/78-04454-FEECA2F4 for ; Thu, 02 Feb 2012 12:59:12 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp15.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id 364C23002C0; Thu, 2 Feb 2012 12:59:09 -0500 (EST) X-Virus-Scanned: OK Received: by smtp15.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id E94333002BF; Thu, 2 Feb 2012 12:59:07 -0500 (EST) Message-ID: <4F2ACEEB.4080202@sugarcrm.com> Date: Thu, 02 Feb 2012 09:59:07 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Stefan Esser CC: Pierre Joye , =?ISO-8859-2?Q?Ond=F8ej_Sur=FD?= , 657698 <657698@bugs.debian.org>, Christoph Anton Mitterer , Douglas Calvert , Jesse Molina , Carlos Alberto Lopez Perez , PHP internals , Debian Developers , Debian PHP Maintainers References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> In-Reply-To: <46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > I know that for many years you have not understood the idea behind > Suhosin, the concept of exploit mitigations. I think we have a difference of approaches here, and it is well known. There's more or less a consensus among PHP dev that to introduce a feature, especially with high user performance cost and other risks, into PHP its necessity to the user needs to be proven and outweigh the problems it causes. You seem to advocate the approach in which performance and convenience can and should be sacrificed to security. It is a matter of opinion, and each one has its own validity. We probably would have for now to agree to disagree here. That said, I personally would be happy to see more participation from you - including and especially contributing and maintaining parts of Suhosin patch that do not have high costs and user issues associated with them and are not controversial - I think it would benefit PHP a lot. Of course, it's your decision, but I think that would be better both for PHP security and PHP users which have little interest in what belongs where and why, but right now the only person who can maintain and support any line of code in Suhosin is you, which is not always helpful to the users. > The most obvious one is that the code is clearly separated, so that > not someone of the hundred PHP commiters accidently breaks a safe > guard. There's no "hundred PHP committers" except in theory. In practice, number of people regularly committing to relevant part of the core is probably less then 10. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227