Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57682
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88919 invoked from network); 4 Feb 2012 09:14:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Feb 2012 09:14:16 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com  
Received: from [209.85.213.42] ([209.85.213.42:49550] helo=mail-yw0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A0/D8-08838-6E6FC2F4 for <internals@lists.php.net>; Sat, 04 Feb 2012 04:14:15 -0500
Received: by yhfq11 with SMTP id q11so2157600yhf.29
        for <internals@lists.php.net>; Sat, 04 Feb 2012 01:14:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=6aISGbEw7c3e+uvhV3xZ7FlJK3aE/G/CznK203MEnQU=;
        b=b5siI1WlQ3pAx8m568cOMFjfHZ8yZmx7KIVvlGCWrS0OZlrt87ODzp4pMUIld96hS3
         bd/Q4Rl41StpYY6SUMEEuyFc4v1kI/dTACmfAx6haXQa36qBfr3tz2TwyuqKcXaGhpCD
         4cT5RzYkZeZPhFAY+W7J6A1NyisoS4pvlpX7k=
MIME-Version: 1.0
Received: by 10.236.75.198 with SMTP id z46mr15095252yhd.45.1328346846132;
 Sat, 04 Feb 2012 01:14:06 -0800 (PST)
Received: by 10.146.197.7 with HTTP; Sat, 4 Feb 2012 01:14:05 -0800 (PST)
In-Reply-To: <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com>
	<5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de>
	<CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com>
	<4F2A9378.70803@thelounge.net>
	<4F2AC9CA.2070308@sugarcrm.com>
	<4F2B2ED8.4050900@jimdo.com>
	<72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de>
	<CAEZPtU5CP3GqUnKsxx51-ieHAdGh=ySvZCWhhAwa0kwuNG6Bhg@mail.gmail.com>
	<A33C7716-F355-455E-863D-5458205C3208@nopiracy.de>
	<4F2CEA7E.9010906@sugarcrm.com>
	<9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de>
Date: Sat, 4 Feb 2012 10:14:05 +0100
Message-ID: <CAEZPtU6eYxWM+hL4RzO_Mpx7GgDe3cxJNbZXbwD2MXdFUPS+aA@mail.gmail.com>
To: Stefan Esser <stefan@nopiracy.de>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>, Soenke Ruempler - Jimdo <soenke@jimdo.com>, 
	PHP internals <internals@lists.php.net>, "security@php.net" <security@php.net>, 
	"zigo@debian.org" <zigo@debian.org>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: pierre.php@gmail.com (Pierre Joye)

hi Stefan,

On Sat, Feb 4, 2012 at 9:41 AM, Stefan Esser <stefan@nopiracy.de> wrote:

> But instead of accepting the gift, people like Pierre run around and tell everybody that people only have more problems due to Suhosin, that he is happy that it gets dropped, bla bla bla.

Yes, it causes more issues that it solves in the long run. That's my
experiences and the same has been told by other people. There is no
personal reason behind it, but pure technical experiences.

> This is ironic because Pierre's employer is Microsoft (excuse me if that is not correct anymore).

Again you are totally wrong. I work with them not for.

And can you please once in this thread (or at all) stop your kiddish
personal attack and finally bring technical points to this discussion?
Can you do it?

> Microsoft created "recently" Suhosin for Windows. They call it EMET and they actively support it, not fight it like cancer.

It is a very pretentious to consider that EMET has been created from
or because of Suhosin. Also some Suhosin features are per se enabled
on Windows through VC options (whehter they act the same way or not is
disputable but you know it).

> I see NO REASON why I should kill Suhosin and maybe 5 of 100 features/mitigations go into mainline PHP.
> If that happens it is not good enough for me. I want all 100 features/mitigations in MY SERVERS.

Nobody ever asked you to kill it. never. But we did kindly and
friendly ask you to participate instead of doing your little crusades
like these days.

> A suhosin that is merged to PHP mainline will never provide the same security as an external solution.
> This is not good enough for me.

That's your opinion, I'm convinced of the opposite. The issue here is
that you lived in the past, based on your experiences with php core
years ago, php3/4 and partially 5/5.2. It is really time for you to
wake up.

> Also PHP.net demands that I convince them to take feature A, B and F from Suhosin into PHP.

It is a standard procedure that applies to any new feature. Many
projects do that as well. There is no exception, even for you.

> I get ordered to sit down and write RFCs about these features and explain why they need to go inside.

Please double read my replies, I do not see any order but kind suggestions.

And yes, I do lobby against Suhosin because I consider it causes more
harms to the whole thing that what it solves. That's my rights and I
do not engage php.net in my statement but only my personal opinions.
And I will continue to lobby, actually not against Suhosin, but to get
what PHP needs in PHP and not in some random external patches.

I also try to convince you to finally get around your personal issues
with us and join our efforts. I do that every time we meet live at
conferences or other events. It is also somehow amusing that you are
much more polite and nice in a live discussion than through emails,
let try to solve that next time we meet :-)

Cheers,
--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org