Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57688 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99857 invoked from network); 4 Feb 2012 09:59:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 09:59:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=dramalho@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=dramalho@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.170 as permitted sender) X-PHP-List-Original-Sender: dramalho@gmail.com X-Host-Fingerprint: 209.85.210.170 unknown Received: from [209.85.210.170] ([209.85.210.170:60750] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 38/AA-08838-1910D2F4 for ; Sat, 04 Feb 2012 04:59:46 -0500 Received: by iakk32 with SMTP id k32so6816193iak.29 for ; Sat, 04 Feb 2012 01:59:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=xyvN0LfR63cqro1GA0RkMjdDlh7Tb890xiWXT40gOU8=; b=XWMLsElVMbuddRyRoOfskPEmL+wZVXXqjq27jJ/s3WFtOo1BC2b8dnTIrdRk91GL18 RJlrf9av3w4xXsK0ymQECoibnSmIeULZE89+ZrE0s0xCle1TRp2+B4AkZX5hpnUWTx6Q Wl61njBbbCqcuT669L2hJUEW3f0GUy7pfLivo= Received: by 10.50.217.129 with SMTP id oy1mr15086679igc.4.1328349583256; Sat, 04 Feb 2012 01:59:43 -0800 (PST) MIME-Version: 1.0 Received: by 10.43.48.68 with HTTP; Sat, 4 Feb 2012 01:59:03 -0800 (PST) In-Reply-To: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> Date: Sat, 4 Feb 2012 09:59:03 +0000 Message-ID: To: Pierre Joye Cc: Stefan Esser , Stas Malyshev , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" Content-Type: multipart/alternative; boundary=14dae934052b0c2ddd04b8207d43 Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: dramalho@gmail.com (David Ramalho) --14dae934052b0c2ddd04b8207d43 Content-Type: text/plain; charset=UTF-8 Guys sorry to barge in out of the blue, I recently signed up to the internals list after many years as a PHP user (like many many people of course :) ) and after the recent non-too happy releases. I'm looking ever forward to the next major PHP release and since I discovered the RFC's list I even know exactly what I can wait for - or be sad to see dropped . I'm mostly a feature oriented guy, but I recognize the obvious need too handle the many vectors that create security problems, and Suhosin has been part of that fight. Now, again, coming out of the blue like this means I miss all the finer points, the many contexts that lead intelligent people (in whatever group context) to extreme positions, like we're seeing here, I've seen it before, and I know intelligence and the general will to do good has nothing to do with it. . Anyway, keeping it brief, let me give you a user's perspective here about security and what it means. Technical aspects aside, having an external component mitigate a language (runtime) vulnerability is not scary for the external component, it's scary for the flaw actually being there in the core. Are there good reasons for this? Is it a architectural choice that inevitability leads to said vulnerability ? I'm guessing it isn't, because for the most part I don't think Suhosin changes any of the PHP feature set , so one would say that each of the problems Suhosin fixes could be fixed right at the source of it all. Now, going through RFC's to solve problems (not introduce new features) does seem to bring in bureaucratic work where there isn't a need for one, but I'm also guessing we all know that and that RFC's aren't used outside the feature set context. I also see, despite all this, a place for an external component, almost as I see a RC version, something like a firstline, more agile way to test code and solutions, but in the long run, I think everyone here would agree, something that Suhosin (or others) does better than PHP Core (baring all the finer contexts that I'm missing, like someone trying to actually make money out of their work by having a paid product instead of offering it to the community) would probably be ported into PHP (and out of Suhosin) in the next development iteration. Now, guys, as a user here, really, no finger pointing, no nothing, I don't care much for ego's , not when it means things go slower instead of faster, AS A USER, I would really like for sense to come in somewhere soon, and to see PHP moving forward, faster and better :) , and I'm sure the right people are gathered here to (keep) doing it :) David Ramalho ps: no paternalism meant, first email ever here, a very hot topic, put it in perspective please :) - thanks for reading On Sat, Feb 4, 2012 at 09:32, Pierre Joye wrote: > On Sat, Feb 4, 2012 at 10:25 AM, Stefan Esser wrote: > > > Grow up Pierre. > > here we go again... failed. next time.... --14dae934052b0c2ddd04b8207d43--