Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57637 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26289 invoked from network); 3 Feb 2012 00:45:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2012 00:45:37 -0000 Received: from [127.0.0.1] ([127.0.0.1:17817]) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ECSTREAM id AA/20-21135-F2E2B2F4 for ; Thu, 02 Feb 2012 19:45:35 -0500 Authentication-Results: pb1.pair.com smtp.mail=calestyo@scientia.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=calestyo@scientia.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain scientia.net from 193.46.215.43 cause and error) X-PHP-List-Original-Sender: calestyo@scientia.net X-Host-Fingerprint: 193.46.215.43 mailgw02.dd24.net Received: from [193.46.215.43] ([193.46.215.43:43329] helo=mailgw02.dd24.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id D1/20-21135-B0C2B2F4 for ; Thu, 02 Feb 2012 19:36:28 -0500 Received: from localhost (amavis01.dd24.net [192.168.1.111]) by mailgw02.dd24.net (Postfix) with ESMTP id 480D23542BA; Fri, 3 Feb 2012 00:36:24 +0000 (GMT) X-Virus-Scanned: domaindiscount24.com mail filter gateway Received: from mailgw02.dd24.net ([192.168.1.197]) by localhost (amavis01.dd24.net [192.168.1.105]) (amavisd-new, port 10197) with ESMTP id rXjtmFUaQ7y9; Fri, 3 Feb 2012 00:36:18 +0000 (GMT) Received: from [192.168.0.102] (ppp-188-174-47-169.dynamic.mnet-online.de [188.174.47.169]) by mailgw02.dd24.net (Postfix) with ESMTPA id 29A2F3540B6; Fri, 3 Feb 2012 00:36:18 +0000 (GMT) To: Debian Developers Cc: 657698 <657698@bugs.debian.org>, PHP internals , Debian PHP Maintainers In-Reply-To: References: Content-Type: multipart/signed; micalg="sha1"; protocol="application/x-pkcs7-signature"; boundary="=-7fKEEDzgqBeH1OBu3Nx8" Date: Fri, 03 Feb 2012 01:28:22 +0100 Message-ID: <1328228902.3385.151.camel@fermat.scientia.net> Mime-Version: 1.0 X-Mailer: Evolution 2.32.3 Subject: Re: Suhosin patch disabled by default in Debian php5 builds From: calestyo@scientia.net (Christoph Anton Mitterer) --=-7fKEEDzgqBeH1OBu3Nx8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hey. First, thanks Ond=C5=99ej, for bringing this to a wider audience :) On Thu, 2012-02-02 at 13:55 +0100, Ond=C5=99ej Sur=C3=BD wrote: > 1. Suhosin patch has an impact on the speed and memory usage. This has > been documented and even author admits it [1]. >=20 > 2. It doesn't help our users when reporting bugs to upstream - the > usual answer is - try if that happens with vanilla php. > > 5. Keeping our code close to upstream and to other linux distros > (Fedora - no, Suse - optional) is a way how to provide our users with > consistent behaviour across the Linux ecosystem. I guess these three could be solved by my suggestion of having separate packages with and without the suhosin core patched applied. In case of (1), people can just choose. This is just what Stas Malyshev talked about. Some people may depend on speed/memory... some absolutely not (just take my little DAViCal server which is responsible for #657698 and this discussion ;) ). In case of (2), one can ask them to reproduce it first with the non-suhosin package. > 3. Stefan's relationships with PHP upstream (and vice versa)[1] isn't > helping very much - and I think we (pkg-php) have improved our > relationship with upstream in past few years a lot. I don't know any details here, but as long as his patched work well on the vanilla source,... it shouldn't be a major issue for Debian, right? I agree with Stefan, that having such guards is a good thing. This is to some extent why things like grsceurity, PaX, and similar exist. There always was need for them,.. and I guess there allways will be. Just saying "there were only few security holes recently" is not an argument. An argument would be "most/all features of suhosin are now integrated or handled similarly in PHP anyway". I think that also his argument of the advantage of having such a patch external is not to stupid,... of course it makes problems in other corners. Btw: Stefan, while I understand that you may feel offended that suhosin it dropped/attacked/criticised, I guess it doesn't help that you use unfriendly words. And the same applies to those who did vice versa (to Stefan). On Thu, 2012-02-02 at 15:26 -0800, Russ Allbery wrote: > For example, Debian could immediately become a much more secure OS > by enabling SELinux in enforcing mode on all Debian systems. > The reason why we don't do this is that currently that tradeoff > doesn't make sense; too much other stuff doesn't work, too much > other effort is required, and we're not in a position to enforce > that technology, even if it would increase security. I don't want to open a discussion about whether SELinux or some other framwork is THE answer ;-) but I always had the impression that the blocker here was rather that there is (which is also a good think) no single dictator in Debian who can really say: All maintainers, listen up, go an support SELinux in your packages. (Which RedHat can do). Apart from that, I fully agree with your arguments. The reasons why I've opened #657698 was just, because I though it could be possible for the PHP maintainers to reduce their burden, by just offering both, packages with suhosin and without. If there are bugs in the with suhosin version, they can either redirect people to upstream, or the no suhosin version or even (if time is available) try to help. I have however still not understood, whether one would need to compile the extensions for both versions, Stefan?! On Fri, 2012-02-03 at 10:45 +1100, Russell Coker wrote: > SE Linux is supported in critical packages including the kernel, > sysvinit, and cron. So any user who wants to use it can just > install the SE Linux specific packages and rely on the built-in > support for SE Linux in important base packages. > This compares to the PHP/Suhosin situation where users who want that > have no option other than to download the source and the Suhosin > patch and build their own packages. Phew,.. but is it really a good idea to let this be done by innocent end-users?! I mean this IS just why the critical packages support SELinux and don't require the the users to do it themselves. Analogously, this applies to the PHP core packages, IMHO. On Fri, 2012-02-03 at 04:11 +0800, Thomas Goirand wrote: > Something I don't get here. If there's this issue, and > different tastes, why can't a build flag be used, so > that you can choose security or speed depending on your > needs? If you do some: >=20 > #ifdef ENABLE_SLOWER_SUHOSIN_SECURITY >=20 > in the controversial parts, then I don't see how this > would be of trouble for anyone to have Suhosin included > in upstream PHP. Absolutely +1 ;-) But this wouldn't solve our discussion here... the question would still be open, whether Debian sets this flag or not, or whether it makes two binary packages. Cheers, Chris. --=-7fKEEDzgqBeH1OBu3Nx8 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Disposition: attachment; filename="smime.p7s" Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIITMjCCBggw ggPwoAMCAQICAQEwDQYJKoZIhvcNAQEEBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwGA1UECxMV aHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0aG9yaXR5 MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMDUxMDE0MDczNjU1WhcNMzMw MzI4MDczNjU1WjBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5D QWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MIICIjANBgkqhkiG9w0BAQEF AAOCAg8AMIICCgKCAgEAq0k1EUh80iZ+U5TPQ6ndKNdCKovzh3gZWHwPntqJfeH763KQDXShlmSr n6AkmXPa4lV2xxd79QSsRrjDvn9kjRBsJPNhnMDykPpR5vVpAWPDD1biSkLP4kSMJSioxXkJfUa5 ivPp8zQpCEXkHJ/LlAQcgagUs5hlxEPsToKNCdG9qluNktDs3pDFfwrC4+vmMVpedD6XM1nowwM9 YDO/99FvR8TN7mKDUm4uCJqk2RUYkaaFkkewrkjrbbch7IUaaHI1q//wEF3A9JSnatU7kn5MkAV+ k8Esi6SOYnQVcW4LcQPqrxU4mtTSBXJvjPkr61pyJfk5RuNyGz4Ew2QnIhAqik9YpwOtvrQuE+1d qkjX1X3UKntc+kYEUOTMDkJbjO3b8s/8lpPg2xE2VGI0OI8MYJs7l1Y4rfPSW4ugW+pOlrh819Wg hnBA05Ept6I8rfWMu88akorkNHvA2Gxf6QrCw6cgmlrfLF1SXLpH1ZvvJChwOCAv1X8pwLJBA2iS zOCczJdLRe86EAqrcDqYlXCtNbHqhSukHIAhMamuYHqAJkgAuAHAk2NVIpE8Vuev2zol848xVOom i4FZ+aHRUxHFe50D9nQR4G2xLD8shpGZcZqmd4s0YNEUtCysna+MENOfxGr4bxP8c1n3ZkJ0Horj +NzSb5icy0eYlUAF++kCAwEAAaOBvzCBvDAPBgNVHRMBAf8EBTADAQH/MF0GCCsGAQUFBwEBBFEw TzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wKAYIKwYBBQUHMAKGHGh0dHA6 Ly93d3cuQ0FjZXJ0Lm9yZy9jYS5jcnQwSgYDVR0gBEMwQTA/BggrBgEEAYGQSjAzMDEGCCsGAQUF BwIBFiVodHRwOi8vd3d3LkNBY2VydC5vcmcvaW5kZXgucGhwP2lkPTEwMA0GCSqGSIb3DQEBBAUA A4ICAQB/CIih2hpQSdqJ+6EIcvOK9x7EOrR5WyAwsUXewl3TZWnxwl1UVDyFX7l7QpHCmf0bUZur RqWhEFOebYisc24sM6bw9J7gdcE+iEWp4WZD/lZa0XpBePdA2ko68QtbpbsWBubC55O5hU2XT7Ee OEOA75sNjO+4p2AAh1d9HkQcyyPvmzyZna+1KRxFeRaWTSdt8Rxsw8JVZLO8FOLzpB8eMvwnFQXP 3S6uPoJhe/AhEBj2ROpTOfnc0Jog4Ma74LtaT8SZyAe9tb2i2y5iDUI0Qbz/i4r1USKqiDAA4rDU vL5lutUDV3mb6NzITfhQ7ZGlUiiirPs2WD7plCuRUIcb1l7WjMz3DxAMUk7QFmHl5QpsvxfHckZX nJj1bGBjem9euU4vyLm5u2qFvJgN7fk+l4Q0lK4Ar6Hl55JuTr3z4tkUi1zS6wFsoBelLRDrnHpK vb3uzv3tIkCrcDiI9QqHasKrBWDJSAXaU8HeRHdqs/M8PO2AvKY4SikkX/5ZO5slelZjAGS5XaRi fVc2T62D7x+SU6COd1fd5WERPSMAkEw8+qNgkwSjrzX2DmqPT0pgp4UFbEahj/THduOhWVf3cbLE bhRcbW1BZt8bk7HUAMPuy888PSGAqV9jZfzd4F+k9CvwhXFB1Gcl+xqxl67WmYITQdJupRuZJ4Dn C6moADCCBo8wggR3oAMCAQICAwCyHTANBgkqhkiG9w0BAQUFADBUMRQwEgYDVQQKEwtDQWNlcnQg SW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xh c3MgMyBSb290MB4XDTEwMDgwMTIxMjc0M1oXDTEyMDczMTIxMjc0M1owggEdMSEwHwYDVQQDExhD aHJpc3RvcGggQW50b24gTWl0dGVyZXIxJDAiBgkqhkiG9w0BCQEWFWNhbGVzdHlvQHNjaWVudGlh Lm5ldDExMC8GCSqGSIb3DQEJARYibWFpbEBjaHJpc3RvcGguYW50b24ubWl0dGVyZXIubmFtZTEv MC0GCSqGSIb3DQEJARYgY2hyaXN0b3BoLmFudG9uLm1pdHRlcmVyQGNlcm4uY2gxPjA8BgkqhkiG 9w0BCQEWL2NocmlzdG9waC5hbnRvbi5taXR0ZXJlckBwaHlzaWsudW5pLW11ZW5jaGVuLmRlMS4w LAYJKoZIhvcNAQkBFh9jaHJpc3RvcGguYW50b24ubWl0dGVyZXJAbG11LmRlMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwNa6CEzsTRd3bRYXPNn2KYKhFZbyPPk1CjuFfy+1PAfKBiG JmhhHGkmwCdnOd5aVnGzwIPfTv/+Rw3Cuw2zJ4YmJmX3uNDz/l2M6h5MO7Bawv7CjdR+ljGaIBYi gMuNaBawmoo60shkvOwf8df/Ou5KTxX7uL/hNOb1Q2/3yJWBBMPCbKD0nTvVH34nE1lfZxvKk/Mu dT7jc/WZ3kJshsO7y0WS/DEDvqPiQI5zfCx/qslMYCSCwcqZ4/NHwEXX4zgt9tfPj34iBNLEod7H zdNhCfdqn1j/FTsRI12M2OXEYhYgBoRNRYshPV10ePbV9+GPzvWlJm7Hn07fxVi4ZQIDAQABo4IB nTCCAZkwDAYDVR0TAQH/BAIwADBWBglghkgBhvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRp ZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0l BDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhC BAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMIG6 BgNVHREEgbIwga+BFWNhbGVzdHlvQHNjaWVudGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24u bWl0dGVyZXIubmFtZYEgY2hyaXN0b3BoLmFudG9uLm1pdHRlcmVyQGNlcm4uY2iBL2NocmlzdG9w aC5hbnRvbi5taXR0ZXJlckBwaHlzaWsudW5pLW11ZW5jaGVuLmRlgR9jaHJpc3RvcGguYW50b24u bWl0dGVyZXJAbG11LmRlMA0GCSqGSIb3DQEBBQUAA4ICAQAQFRkG3/PZgFdEFzeQyB2Gy8aXvyfS XpoF14+eAplacl6HXG874gfBw0VlTMkG7ynK3sh2cOEz20BMbly/MGT9tMpo246EhINlIwpfnqlS GZ+AVXrmztX25Eler+fO2wOVEeCn+HV09wb95VJtdzeAVaWpON5cEjGm9TLpMfR3RDDDkkcKI1uB kAcwVugRHmAXgx+2Mi6bDrG1q3TXA8JCdo+8ojdboSEpJvPXhXeKcN9N9ajLqcv/J0jp5s1jZCRn oX8OGIu9KWYmD7w2dHaYDmi/JHAa1ddd38BjULi1azqAVr32f1UWzU12JucqGHvlsZvkr479f/jV 4G8ID7zz/KG0Qb1op7gOZnj56/ek2jHyFBlYnAsnqM2imqSkNZsOAhxLPsYvqE3APCTcFMSilCCD 66K8OLrzpAj6fzcY9UJ9pkRZBP+nkOTN9avqZivxwKR8Zvl4XG9NJEdftSDTjFaVeYjn8hiDW0c9 uqVlayI35d2L0jC6h/npeihVWSOBiqFd5sPepTrqe7AvPrpYR12QrbkYeqARcqYnLe3jKuyWyqhQ EQty00Zb0n3d7ezZ15ECXBOQHhvlDkbT6UeGX3Xa9kvNYWIb62S1nZ4oicU94NPxwMYtttaOTjzY 3hb5/aS+TWT+xkTFSFmd2perZmiiyByCKC5bcp6cOPWgvzCCBo8wggR3oAMCAQICAwCyHTANBgkq hkiG9w0BAQUFADBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5D QWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MB4XDTEwMDgwMTIxMjc0M1oX DTEyMDczMTIxMjc0M1owggEdMSEwHwYDVQQDExhDaHJpc3RvcGggQW50b24gTWl0dGVyZXIxJDAi BgkqhkiG9w0BCQEWFWNhbGVzdHlvQHNjaWVudGlhLm5ldDExMC8GCSqGSIb3DQEJARYibWFpbEBj aHJpc3RvcGguYW50b24ubWl0dGVyZXIubmFtZTEvMC0GCSqGSIb3DQEJARYgY2hyaXN0b3BoLmFu dG9uLm1pdHRlcmVyQGNlcm4uY2gxPjA8BgkqhkiG9w0BCQEWL2NocmlzdG9waC5hbnRvbi5taXR0 ZXJlckBwaHlzaWsudW5pLW11ZW5jaGVuLmRlMS4wLAYJKoZIhvcNAQkBFh9jaHJpc3RvcGguYW50 b24ubWl0dGVyZXJAbG11LmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuwNa6CEz sTRd3bRYXPNn2KYKhFZbyPPk1CjuFfy+1PAfKBiGJmhhHGkmwCdnOd5aVnGzwIPfTv/+Rw3Cuw2z J4YmJmX3uNDz/l2M6h5MO7Bawv7CjdR+ljGaIBYigMuNaBawmoo60shkvOwf8df/Ou5KTxX7uL/h NOb1Q2/3yJWBBMPCbKD0nTvVH34nE1lfZxvKk/MudT7jc/WZ3kJshsO7y0WS/DEDvqPiQI5zfCx/ qslMYCSCwcqZ4/NHwEXX4zgt9tfPj34iBNLEod7HzdNhCfdqn1j/FTsRI12M2OXEYhYgBoRNRYsh PV10ePbV9+GPzvWlJm7Hn07fxVi4ZQIDAQABo4IBnTCCAZkwDAYDVR0TAQH/BAIwADBWBglghkgB hvhCAQ0ESRZHVG8gZ2V0IHlvdXIgb3duIGNlcnRpZmljYXRlIGZvciBGUkVFIGhlYWQgb3ZlciB0 byBodHRwOi8vd3d3LkNBY2VydC5vcmcwQAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgor BgEEAYI3CgMEBgorBgEEAYI3CgMDBglghkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUF BzABhhZodHRwOi8vb2NzcC5jYWNlcnQub3JnMIG6BgNVHREEgbIwga+BFWNhbGVzdHlvQHNjaWVu dGlhLm5ldIEibWFpbEBjaHJpc3RvcGguYW50b24ubWl0dGVyZXIubmFtZYEgY2hyaXN0b3BoLmFu dG9uLm1pdHRlcmVyQGNlcm4uY2iBL2NocmlzdG9waC5hbnRvbi5taXR0ZXJlckBwaHlzaWsudW5p LW11ZW5jaGVuLmRlgR9jaHJpc3RvcGguYW50b24ubWl0dGVyZXJAbG11LmRlMA0GCSqGSIb3DQEB BQUAA4ICAQAQFRkG3/PZgFdEFzeQyB2Gy8aXvyfSXpoF14+eAplacl6HXG874gfBw0VlTMkG7ynK 3sh2cOEz20BMbly/MGT9tMpo246EhINlIwpfnqlSGZ+AVXrmztX25Eler+fO2wOVEeCn+HV09wb9 5VJtdzeAVaWpON5cEjGm9TLpMfR3RDDDkkcKI1uBkAcwVugRHmAXgx+2Mi6bDrG1q3TXA8JCdo+8 ojdboSEpJvPXhXeKcN9N9ajLqcv/J0jp5s1jZCRnoX8OGIu9KWYmD7w2dHaYDmi/JHAa1ddd38Bj ULi1azqAVr32f1UWzU12JucqGHvlsZvkr479f/jV4G8ID7zz/KG0Qb1op7gOZnj56/ek2jHyFBlY nAsnqM2imqSkNZsOAhxLPsYvqE3APCTcFMSilCCD66K8OLrzpAj6fzcY9UJ9pkRZBP+nkOTN9avq ZivxwKR8Zvl4XG9NJEdftSDTjFaVeYjn8hiDW0c9uqVlayI35d2L0jC6h/npeihVWSOBiqFd5sPe pTrqe7AvPrpYR12QrbkYeqARcqYnLe3jKuyWyqhQEQty00Zb0n3d7ezZ15ECXBOQHhvlDkbT6UeG X3Xa9kvNYWIb62S1nZ4oicU94NPxwMYtttaOTjzY3hb5/aS+TWT+xkTFSFmd2perZmiiyByCKC5b cp6cOPWgvzGCAr0wggK5AgEBMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0 dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDALIdMAkG BSsOAwIaBQCgggE3MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTEy MDIwMzAwMjgyMVowIwYJKoZIhvcNAQkEMRYEFCXGuRm+og4e8zNFLxGlKLrhpINnMGoGCSsGAQQB gjcQBDFdMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0Fj ZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMgUm9vdAIDALIdMGwGCyqGSIb3DQEJEAIL MV2gWzBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQu b3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290AgMAsh0wDQYJKoZIhvcNAQEBBQAEggEA NsVwicJCv+siyr2ywxENKjI0Mhv0Jy1pngZK1ToovWur/bIfcPGCKWPlAeohtBbhS7Sk2gcx0rYP Fyv1d4zQ7qxMsAkFsndCtv8S/ob11MxdwI4CR1lyZg0L9X3YrOdI+e19flSUwrq0+DyLKm4CHs34 sGd7dFwgC9+6k/Py2wzxuF09hjBRC/gWUV0EJ/Fs1DjJcABRkcdm+3bethblhGv/ONm3g+gifXl3 93+KjnlSMdrEq8rCjn8u/qmEvlnHXRGnKTEYw+JUNZnwEmkTo7TvwkRDbcH4x0+vevjP2b8nu0L1 XOhKDs5kfOjnYTmp9kx4c2SPj7UFgI/5/0jykQAAAAAAAA== --=-7fKEEDzgqBeH1OBu3Nx8--