Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57630 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63748 invoked from network); 2 Feb 2012 18:11:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Feb 2012 18:11:59 -0000 Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Received: from [91.118.73.15] ([91.118.73.15:58241] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 05/19-04454-DE1DA2F4 for ; Thu, 02 Feb 2012 13:11:58 -0500 Received: from rh.thelounge.net (rh.thelounge.net [10.0.0.99]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id 973BBA3 for ; Thu, 2 Feb 2012 19:11:54 +0100 (CET) Message-ID: <4F2AD1EA.70208@thelounge.net> Date: Thu, 02 Feb 2012 19:11:54 +0100 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0 MIME-Version: 1.0 To: "internals@lists.php.net" References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2ACB02.9020309@thelounge.net> <4F2ACFA7.9060800@sugarcrm.com> In-Reply-To: <4F2ACFA7.9060800@sugarcrm.com> X-Enigmail-Version: 1.3.5 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig90EE0A9C2A9B5D6172287B7B" Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: h.reindl@thelounge.net (Reindl Harald) --------------enig90EE0A9C2A9B5D6172287B7B Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Am 02.02.2012 19:02, schrieb Stas Malyshev: > Hi! >=20 >> with many hundret active sessions was not a >> single performance problem >=20 > I'm not sure I understand what you are talking about here. Performance = is a scale,=20 > not a trigger. If you lose 10% (totally invented number as an example) = that doesn't=20 > mean you have 10 of "performance problems", it means you sites run 10% = slower, you=20 > need 10% more servers, etc. as long the cms generates a whole dynamic page from before the first library include until the genereated page is ready in 0.014 seconds while you have some hundret active users including an ajax check and having suhosin enabled at this time where is a SINGLE reason to degrade security by default? for people running on a 10 year old machine fast but unsecure? what the hell - on a public sever security is the first and most important topic and LONG after that performance is one >> without bytecode-cache you have much more problems > What bytecode cache has to do with it? Sounds like a non-sequitur. overall performance i look at the performance of the whole machine and not a single part because the single part does not matter if it leads to successful exploits at last and your whole server is down and owned - what benefit had you after such things happened because it was a little faster? >> security is not beneficial to the most users? >=20 > Please don't do that. I never said that security is not beneficial, and= as you quoted=20 > me you know that and you know that "not beneficial" related to the perf= ormance hit=20 > the mitigation measures cost. performance comes in the priority LONG after security so this is nothing to discuss >> security is THE benefit for ALL users, especially in days where many >> are running crap-code like Joomla/Wordpress with all sorts of plugins >> throwing millions of warning if you run with E_ALL and E_STRCIT >=20 > What the quality of the code of Joomla has to do with anything? Suhosin= patches=20 > would not fix Joomla and most of the issues it helps with are totally u= nrelated=20 > to any user code at all. if code is blowing out millions of warnings it is poorly written code and poorly written code is ALWAYS a security problem look at the logs how many bad inputs suhosin is dropping mostly of them are attacks if someone attacks your machine EVERY piece increasing security will make the rsik of a successful intrusion lower, and yes EVERY server is attacked, every day and every night as long it has a public IP --------------enig90EE0A9C2A9B5D6172287B7B Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8q0eoACgkQhmBjz394AnlB3wCfYx9PTQAyvmL0RuBLN952JQ1w zxgAn30d59rz2QLC6hnjHu/Pm5AItNJp =V8l/ -----END PGP SIGNATURE----- --------------enig90EE0A9C2A9B5D6172287B7B--