Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57638 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 27753 invoked from network); 3 Feb 2012 00:48:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2012 00:48:35 -0000 Authentication-Results: pb1.pair.com smtp.mail=soenke@jimdo.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=soenke@jimdo.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain jimdo.com from 207.97.245.113 cause and error) X-PHP-List-Original-Sender: soenke@jimdo.com X-Host-Fingerprint: 207.97.245.113 smtp113.iad.emailsrvr.com Linux 2.6 Received: from [207.97.245.113] ([207.97.245.113:51286] helo=smtp113.iad.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A7/70-21135-1EE2B2F4 for ; Thu, 02 Feb 2012 19:48:34 -0500 Received: from smtp51.relay.iad1a.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 156E120C0F; Thu, 2 Feb 2012 19:48:31 -0500 (EST) X-SMTPDoctor-Processed: csmtpprox 2.7.4 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp51.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 0F1CE206FD; Thu, 2 Feb 2012 19:48:31 -0500 (EST) X-Virus-Scanned: OK Received: by smtp51.relay.iad1a.emailsrvr.com (Authenticated sender: soenke-AT-jimdo.com) with ESMTPSA id 6666F2052C; Thu, 2 Feb 2012 19:48:30 -0500 (EST) Message-ID: <4F2B2ED8.4050900@jimdo.com> Date: Fri, 03 Feb 2012 01:48:24 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111220 Thunderbird/9.0 MIME-Version: 1.0 To: Stas Malyshev CC: Reindl Harald , "internals@lists.php.net" References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> In-Reply-To: <4F2AC9CA.2070308@sugarcrm.com> X-Enigmail-Version: 1.3.5 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig77C2B978FA1B1C67BF20F2FD" Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: soenke@jimdo.com (Soenke Ruempler - Jimdo) --------------enig77C2B978FA1B1C67BF20F2FD Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 02/02/2012 06:37 PM, Stas Malyshev wrote: > Hi!it sucks major ass, as=20 >=20 >> yes, but suhosin-extension and hardening patch exists since many years= >> >> the question from a normal user: >> why are these things not included in the core? >=20 > Because some of these things slow down the code and thus may not be > beneficial to the most users. So, I respect everyone of you, but please consider: Most users =3D=3D=3D=3D low traffic webhosting stuff, people will never e= ver notive performance penantly within millisesond intervals. They neither care about security nor about performance. Minority of users =3D=3D=3D=3D facebook, flickr, etsy -> they know what t= hey do and they can scale horizontally and optimize PHP by their own (HINT: HipHop). You, the PHP core team, do not have to care about their website slowing down. They have people that know the advantages and disadvantages of PHP. _YOUR_ responsibility as the provider (READ: provider) of a programming-language is to provide a secure environment in favor a micro-optimized performance. So, sorry guys but this performance argument is simply really BOGUS for 99.99999% of your users. Optimizing bytecodes is cool but securing the interwebs is just more important. Please first provide a default secure config and second you might document the more unsecure setting by saying "you know what you do". Otherwise you are wasting millions of dollars of money of other people. People will leave you, PHP will get more and more hilarious. It doesn't matter if you like Stefan Esser or not. He may not be the the most sensible or nicest guy in the world but he's probably the best php security expert. He might be an asshole, jerk or whatever, BUT he shares his experience and knowledge via CODE (!). He does not (directly) earn money with it. You can ignore his trolling statements and just use his code. It will at most touch your honor. I know it's hard because he personally attacks people and this doesn't help at all, but deal with him. He really made PHP and the interwebs more secure for the last decade. Do not respect him for how (bad) he's communicating things, respect him for what he coded. We are coders. Be humble and get shit done. Really. --=20 best regards, Soenke Ruempler // @s0enke Development Jimdo GmbH - Pages to the People. Stresemannstr. 375 | 22761 Hamburg | Germany Tel: +49 40 82244999 | Fax: +49 40 82244998 Gesch=C3=A4ftsf=C3=BChrer: F. Detzner | M. Henze | C. Springub Amtsgericht Hamburg, HRB 101417 mailto: soenke@jimdo.com Create your own JimdoFree-Page at http://www.jimdo.com! --------------enig77C2B978FA1B1C67BF20F2FD Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8rLt0ACgkQmQx0dyByTUFaxwCfUxM/zVJ0pnMsDud+meqw6nYm jNMAoKeVOKIwfQZs1zqIKWuA6E29vgJH =oS13 -----END PGP SIGNATURE----- --------------enig77C2B978FA1B1C67BF20F2FD--