Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57682 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 88919 invoked from network); 4 Feb 2012 09:14:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 09:14:16 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.42 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.213.42 mail-yw0-f42.google.com Received: from [209.85.213.42] ([209.85.213.42:49550] helo=mail-yw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A0/D8-08838-6E6FC2F4 for ; Sat, 04 Feb 2012 04:14:15 -0500 Received: by yhfq11 with SMTP id q11so2157600yhf.29 for ; Sat, 04 Feb 2012 01:14:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6aISGbEw7c3e+uvhV3xZ7FlJK3aE/G/CznK203MEnQU=; b=b5siI1WlQ3pAx8m568cOMFjfHZ8yZmx7KIVvlGCWrS0OZlrt87ODzp4pMUIld96hS3 bd/Q4Rl41StpYY6SUMEEuyFc4v1kI/dTACmfAx6haXQa36qBfr3tz2TwyuqKcXaGhpCD 4cT5RzYkZeZPhFAY+W7J6A1NyisoS4pvlpX7k= MIME-Version: 1.0 Received: by 10.236.75.198 with SMTP id z46mr15095252yhd.45.1328346846132; Sat, 04 Feb 2012 01:14:06 -0800 (PST) Received: by 10.146.197.7 with HTTP; Sat, 4 Feb 2012 01:14:05 -0800 (PST) In-Reply-To: <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> Date: Sat, 4 Feb 2012 10:14:05 +0100 Message-ID: To: Stefan Esser Cc: Stas Malyshev , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: pierre.php@gmail.com (Pierre Joye) hi Stefan, On Sat, Feb 4, 2012 at 9:41 AM, Stefan Esser wrote: > But instead of accepting the gift, people like Pierre run around and tell everybody that people only have more problems due to Suhosin, that he is happy that it gets dropped, bla bla bla. Yes, it causes more issues that it solves in the long run. That's my experiences and the same has been told by other people. There is no personal reason behind it, but pure technical experiences. > This is ironic because Pierre's employer is Microsoft (excuse me if that is not correct anymore). Again you are totally wrong. I work with them not for. And can you please once in this thread (or at all) stop your kiddish personal attack and finally bring technical points to this discussion? Can you do it? > Microsoft created "recently" Suhosin for Windows. They call it EMET and they actively support it, not fight it like cancer. It is a very pretentious to consider that EMET has been created from or because of Suhosin. Also some Suhosin features are per se enabled on Windows through VC options (whehter they act the same way or not is disputable but you know it). > I see NO REASON why I should kill Suhosin and maybe 5 of 100 features/mitigations go into mainline PHP. > If that happens it is not good enough for me. I want all 100 features/mitigations in MY SERVERS. Nobody ever asked you to kill it. never. But we did kindly and friendly ask you to participate instead of doing your little crusades like these days. > A suhosin that is merged to PHP mainline will never provide the same security as an external solution. > This is not good enough for me. That's your opinion, I'm convinced of the opposite. The issue here is that you lived in the past, based on your experiences with php core years ago, php3/4 and partially 5/5.2. It is really time for you to wake up. > Also PHP.net demands that I convince them to take feature A, B and F from Suhosin into PHP. It is a standard procedure that applies to any new feature. Many projects do that as well. There is no exception, even for you. > I get ordered to sit down and write RFCs about these features and explain why they need to go inside. Please double read my replies, I do not see any order but kind suggestions. And yes, I do lobby against Suhosin because I consider it causes more harms to the whole thing that what it solves. That's my rights and I do not engage php.net in my statement but only my personal opinions. And I will continue to lobby, actually not against Suhosin, but to get what PHP needs in PHP and not in some random external patches. I also try to convince you to finally get around your personal issues with us and join our efforts. I do that every time we meet live at conferences or other events. It is also somehow amusing that you are much more polite and nice in a live discussion than through emails, let try to solve that next time we meet :-) Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org