Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57677 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 79898 invoked from network); 4 Feb 2012 08:42:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 08:42:09 -0000 Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.161] ([81.169.146.161:17388] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 03/37-08838-F5FEC2F4 for ; Sat, 04 Feb 2012 03:42:08 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328344924; l=2596; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=1cubbONgLaSTtKlf+P3kxO0GWmw=; b=WQTbjVSrCM8sQ38soQnwCFqecQu3GIeHqK04Hja7o8lSPeusm1kBMc1xYpsvu03NnDZ zQHl8RTdap52QDsTR76tTPJMYDecEKvfmtww0uYn5gRmOkY3+ckYWtjzk7rL3v565XNag trBokO7/xB8KRQUrKlGE7KsHjn1B7Np0JFc= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (klopstock mo20) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id z00566o1481hTR ; Sat, 4 Feb 2012 09:41:43 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: <4F2CEA7E.9010906@sugarcrm.com> Date: Sat, 4 Feb 2012 09:41:42 +0100 Cc: Pierre Joye , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" Content-Transfer-Encoding: quoted-printable Message-ID: <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> To: Stas Malyshev X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: stefan@nopiracy.de (Stefan Esser) Good morning, > Well, here's the answer why Suhosin is not part of PHP. >=20 >> With Suhosin existing I am free to implement as many security >> mitigations I like and do not have to beg the PHP developers to >> consider adding something. >=20 > Some people call "begging" collaboration and consider it a normal way = to develop software with teams bigger than one person. Of course, being = part of the team is completely voluntary. I think it is clear that = Stefan is not interested=20 The Suhosin project was started because I personally considered the = state of PHP security not good enough for MY SERVERS. And while you don't like it the security history of PHP (and the fact = how often a bug never even affected Suhosin patched PHP) has proven that = I was right. I want to have the best possible protection on MY SERVERS. The fact that others can use Suhosin is a gift from me. I could keep the = project completely to myself (or let people pay for it). But I did not. But instead of accepting the gift, people like Pierre run around and = tell everybody that people only have more problems due to Suhosin, that = he is happy that it gets dropped, bla bla bla. This is ironic because Pierre's employer is Microsoft (excuse me if that = is not correct anymore). Microsoft created "recently" Suhosin for = Windows. They call it EMET and they actively support it, not fight it = like cancer. I see NO REASON why I should kill Suhosin and maybe 5 of 100 = features/mitigations go into mainline PHP. If that happens it is not good enough for me. I want all 100 = features/mitigations in MY SERVERS. A suhosin that is merged to PHP mainline will never provide the same = security as an external solution. This is not good enough for me. Also PHP.net demands that I convince them to take feature A, B and F = from Suhosin into PHP. I get ordered to sit down and write RFCs about = these features and explain why they need to go inside. Why should I waste my time like that? I know for sure that whatever will = be the outcome of it, it will be a compromise (if at all) that will not = be sufficient for my personal taste. So in the end from my point of view people have to use Suhosin anyway. = Why also waste time merging 5 features of 100 if I can do something more = useful in the time and give my Suhosin users 20 more new mitigations. Also history has proven that sooner or later PHP.net gets bitten by some = vulnerability in the ass and then they will clone one of the Suhosin = features anyway. Regards, Stefan Esser=