Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57630
Return-Path: <h.reindl@thelounge.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 63748 invoked from network); 2 Feb 2012 18:11:59 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 2 Feb 2012 18:11:59 -0000
Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: h.reindl@thelounge.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net  
Received: from [91.118.73.15] ([91.118.73.15:58241] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 05/19-04454-DE1DA2F4 for <internals@lists.php.net>; Thu, 02 Feb 2012 13:11:58 -0500
Received: from rh.thelounge.net (rh.thelounge.net [10.0.0.99])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.thelounge.net (Postfix) with ESMTPSA id 973BBA3
	for <internals@lists.php.net>; Thu,  2 Feb 2012 19:11:54 +0100 (CET)
Message-ID: <4F2AD1EA.70208@thelounge.net>
Date: Thu, 02 Feb 2012 19:11:54 +0100
Organization: the lounge interactive design
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0
MIME-Version: 1.0
To: "internals@lists.php.net" <internals@lists.php.net>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2ACB02.9020309@thelounge.net> <4F2ACFA7.9060800@sugarcrm.com>
In-Reply-To: <4F2ACFA7.9060800@sugarcrm.com>
X-Enigmail-Version: 1.3.5
OpenPGP: id=7F780279;
	url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig90EE0A9C2A9B5D6172287B7B"
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: h.reindl@thelounge.net (Reindl Harald)

--------------enig90EE0A9C2A9B5D6172287B7B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable



Am 02.02.2012 19:02, schrieb Stas Malyshev:
> Hi!
>=20
>> with many hundret active sessions was not a
>> single performance problem
>=20
> I'm not sure I understand what you are talking about here. Performance =
is a scale,=20
> not a trigger. If you lose 10% (totally invented number as an example) =
that doesn't=20
> mean you have 10 of "performance problems", it means you sites run 10% =
slower, you=20
> need 10% more servers, etc.

as long the cms generates a whole dynamic page from before the
first library include until the genereated page is ready in
0.014 seconds while you have some hundret active users including
an ajax check and having suhosin enabled at this time where
is a SINGLE reason to degrade security by default?

for people running on a 10 year old machine fast but unsecure?
what the hell - on a public sever security is the first and
most important topic and LONG after that performance is one

>> without bytecode-cache you have much more problems
> What bytecode cache has to do with it? Sounds like a non-sequitur.

overall performance

i look at the performance of the whole machine and not a single
part because the single part does not matter if it leads to
successful exploits at last and your whole server is down
and owned - what benefit had you after such things happened
because it was a little faster?

>> security is not beneficial to the most users?
>=20
> Please don't do that. I never said that security is not beneficial, and=
 as you quoted=20
> me you know that and you know that "not beneficial" related to the perf=
ormance hit=20
> the mitigation measures cost.

performance comes in the priority LONG after security
so this is nothing to discuss

>> security is THE benefit for ALL users, especially in days where many
>> are running crap-code like Joomla/Wordpress with all sorts of plugins
>> throwing millions of warning if you run with E_ALL and E_STRCIT
>=20
> What the quality of the code of Joomla has to do with anything? Suhosin=
 patches=20
> would not fix Joomla and most of the issues it helps with are totally u=
nrelated=20
> to any user code at all.

if code is blowing out millions of warnings it is poorly written code
and poorly written code is ALWAYS a security problem

look at the logs how many bad inputs suhosin is dropping
mostly of them are attacks

if someone attacks your machine EVERY piece increasing security will
make the rsik of a successful intrusion lower, and yes EVERY server
is attacked, every day and every night as long it has a public IP


--------------enig90EE0A9C2A9B5D6172287B7B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8q0eoACgkQhmBjz394AnlB3wCfYx9PTQAyvmL0RuBLN952JQ1w
zxgAn30d59rz2QLC6hnjHu/Pm5AItNJp
=V8l/
-----END PGP SIGNATURE-----

--------------enig90EE0A9C2A9B5D6172287B7B--