Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57684 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92243 invoked from network); 4 Feb 2012 09:25:43 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 09:25:43 -0000 Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.161 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.161 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.161] ([81.169.146.161:49274] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 1A/69-08838-699FC2F4 for ; Sat, 04 Feb 2012 04:25:43 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328347540; l=3613; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=KN7MnL7S9JvxBMN9ce/Ufdn9K/M=; b=Hxpyf2TFCqhQVdK7V4cpVza7icgV25ycfWLAu1FGbm9QRxddkKa95wBAwIWbCuHbKW0 Zx0avPioa7OftyYDaNqdsR17m9uINlbfpVmKFh7ZPBb4iSsdE0ihldfUa5UBX6l41arn6 2EW+nyGnrLahWt1XXdktAULfim/yDfPdf2k= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (fruni mo3) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id g04169o146RcXq ; Sat, 4 Feb 2012 10:25:22 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: Date: Sat, 4 Feb 2012 10:25:21 +0100 Cc: Stas Malyshev , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" Content-Transfer-Encoding: quoted-printable Message-ID: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> To: Pierre Joye X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: stefan@nopiracy.de (Stefan Esser) Hello Pierre, >> This is ironic because Pierre's employer is Microsoft (excuse me if = that is not correct anymore). >=20 > Again you are totally wrong. I work with them not for. >=20 > And can you please once in this thread (or at all) stop your kiddish > personal attack and finally bring technical points to this discussion? > Can you do it? Grow up Pierre. Telling people that you work for Microsoft while you = only work with them is not a personal attack. The technical points are all over my emails. You just choose to ignore = them and highlight every second sentence of mine as personal attack. >> Microsoft created "recently" Suhosin for Windows. They call it EMET = and they actively support it, not fight it like cancer. >=20 > It is a very pretentious to consider that EMET has been created from > or because of Suhosin. Also some Suhosin features are per se enabled > on Windows through VC options (whehter they act the same way or not is > disputable but you know it). See you do it again. You claim I believe EMET has been created because = of Suhosin. I never said that. Although one of the lead developers of = EMET compared it himself to it. You know some features of Suhosin are already in PHP and the HTTP = response splitting drama shows that when you break it there is a = secondary layer of defense that protects you in case you use Suhosin. > Nobody ever asked you to kill it. never. But we did kindly and > friendly ask you to participate instead of doing your little crusades > like these days. No, you ordered me to sit down and write RFC so that I can convince YOU. >> A suhosin that is merged to PHP mainline will never provide the same = security as an external solution. >> This is not good enough for me. >=20 > That's your opinion, I'm convinced of the opposite. The issue here is > that you lived in the past, based on your experiences with php core > years ago, php3/4 and partially 5/5.2. It is really time for you to > wake up. Pierre it is time for you to come out of the delusional state. You = repeatedly claim that everything is now superb. Do you forget PHP 5.3.7 and PHP 5.3.9 both times there were security = vulnerabilities introduced right after the last RC. This is a sign that the PHP development process is still not healthy at = all. >> Also PHP.net demands that I convince them to take feature A, B and F = from Suhosin into PHP. >=20 > It is a standard procedure that applies to any new feature. Many > projects do that as well. There is no exception, even for you. No it is not a standard procedure that you order someone that does not = see a need to merge features into PHP to sit down and write RFC to = convince you nevertheless. > And yes, I do lobby against Suhosin because I consider it causes more > harms to the whole thing that what it solves. That's my rights and I > do not engage php.net in my statement but only my personal opinions. > And I will continue to lobby, actually not against Suhosin, but to get > what PHP needs in PHP and not in some random external patches. Enough said. > I also try to convince you to finally get around your personal issues > with us and join our efforts. I do that every time we meet live at > conferences or other events. It is also somehow amusing that you are > much more polite and nice in a live discussion than through emails, > let try to solve that next time we meet :-) You claim I have personal issues, while I repeatedly tell you the = technical reasons why I see it different then you. Regards, Stefan