Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57638
Return-Path: <soenke@jimdo.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27753 invoked from network); 3 Feb 2012 00:48:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2012 00:48:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=soenke@jimdo.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=soenke@jimdo.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain jimdo.com from 207.97.245.113 cause and error)
X-PHP-List-Original-Sender: soenke@jimdo.com
X-Host-Fingerprint: 207.97.245.113 smtp113.iad.emailsrvr.com Linux 2.6
Received: from [207.97.245.113] ([207.97.245.113:51286] helo=smtp113.iad.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A7/70-21135-1EE2B2F4 for <internals@lists.php.net>; Thu, 02 Feb 2012 19:48:34 -0500
Received: from smtp51.relay.iad1a.emailsrvr.com (localhost.localdomain [127.0.0.1])
	by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 156E120C0F;
	Thu,  2 Feb 2012 19:48:31 -0500 (EST)
X-SMTPDoctor-Processed: csmtpprox 2.7.4
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 0F1CE206FD;
	Thu,  2 Feb 2012 19:48:31 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp51.relay.iad1a.emailsrvr.com (Authenticated sender: soenke-AT-jimdo.com) with ESMTPSA id 6666F2052C;
	Thu,  2 Feb 2012 19:48:30 -0500 (EST)
Message-ID: <4F2B2ED8.4050900@jimdo.com>
Date: Fri, 03 Feb 2012 01:48:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111220 Thunderbird/9.0
MIME-Version: 1.0
To: Stas Malyshev <smalyshev@sugarcrm.com>
CC: Reindl Harald <h.reindl@thelounge.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com>
In-Reply-To: <4F2AC9CA.2070308@sugarcrm.com>
X-Enigmail-Version: 1.3.5
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig77C2B978FA1B1C67BF20F2FD"
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: soenke@jimdo.com (Soenke Ruempler - Jimdo)

--------------enig77C2B978FA1B1C67BF20F2FD
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 02/02/2012 06:37 PM, Stas Malyshev wrote:
> Hi!it sucks major ass,  as=20
>=20
>> yes, but suhosin-extension and hardening patch exists since many years=

>>
>> the question from a normal user:
>> why are these things not included in the core?
>=20
> Because some of these things slow down the code and thus may not be
> beneficial to the most users.

So, I respect everyone of you, but please consider:

Most users =3D=3D=3D=3D low traffic webhosting stuff, people will never e=
ver
notive performance penantly within millisesond intervals. They neither
care about security nor about performance.

Minority of users =3D=3D=3D=3D facebook, flickr, etsy -> they know what t=
hey do
and they can scale horizontally and optimize PHP by their own (HINT:
HipHop). You, the PHP core team, do not have to care about their website
slowing down. They have people that know the advantages and
disadvantages of PHP.

_YOUR_ responsibility as the provider (READ: provider) of a
programming-language is to provide a secure environment in favor a
micro-optimized performance.

So, sorry guys but this performance argument is simply really BOGUS for
99.99999% of your users. Optimizing bytecodes is cool but securing the
interwebs is just more important.

Please first provide a default secure config and second you might
document the more unsecure setting by saying "you know what you do".

Otherwise you are wasting millions of dollars of money of other people.
People will leave you, PHP will get more and more hilarious.

It doesn't matter if you like Stefan Esser or not. He may not be the the
most sensible or nicest guy in the world but he's probably the best php
security expert. He might be an asshole, jerk or whatever, BUT he shares
his experience and knowledge via CODE (!). He does not (directly) earn
money with it. You can ignore his trolling statements and just use his
code. It will at most touch your honor.

I know it's hard because he personally attacks people and this doesn't
help at all, but deal with him. He really made PHP and the interwebs
more secure for the last decade.

Do not respect him for how (bad) he's communicating things, respect him
for what he coded. We are coders.

Be humble and get shit done. Really.

--=20

best regards,

Soenke Ruempler // @s0enke
Development

Jimdo GmbH - Pages to the People.
Stresemannstr. 375 | 22761 Hamburg | Germany
Tel: +49 40 82244999 | Fax: +49 40 82244998

Gesch=C3=A4ftsf=C3=BChrer: F. Detzner | M. Henze | C. Springub
Amtsgericht Hamburg, HRB 101417

mailto: soenke@jimdo.com
Create your own JimdoFree-Page at http://www.jimdo.com!


--------------enig77C2B978FA1B1C67BF20F2FD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8rLt0ACgkQmQx0dyByTUFaxwCfUxM/zVJ0pnMsDud+meqw6nYm
jNMAoKeVOKIwfQZs1zqIKWuA6E29vgJH
=oS13
-----END PGP SIGNATURE-----

--------------enig77C2B978FA1B1C67BF20F2FD--