Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57689 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 547 invoked from network); 4 Feb 2012 10:00:22 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 10:00:22 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 207.97.245.163 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 207.97.245.163 smtp163.iad.emailsrvr.com Linux 2.6 Received: from [207.97.245.163] ([207.97.245.163:36983] helo=smtp163.iad.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id DB/BA-08838-FA10D2F4 for ; Sat, 04 Feb 2012 05:00:20 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp56.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 036903D855D; Sat, 4 Feb 2012 05:00:01 -0500 (EST) X-Virus-Scanned: OK Received: by smtp56.relay.iad1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 504353D854B; Sat, 4 Feb 2012 05:00:01 -0500 (EST) Message-ID: <4F2D01A0.3050000@sugarcrm.com> Date: Sat, 04 Feb 2012 02:00:00 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Stefan Esser CC: PHP internals , "security@php.net" References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > This is bad. And there is no point arguing this fact. Yes, this was bad. Agreed. It was a mistake. Mistakes happen. We fixed it and hopefully learned from it. > These are all basic prinicples of security mitigations. Why is there > a need to write up RFC about these things. They are widely accepted > by other software vendors/products. Because there's a difference between principles and applying them in a particular manner in particular patch to particular software. The responsibility of core PHP developers it to evaluate the specific solutions and patches and decide if they are good or not. Regardless of how well or badly it was done in specific cases in the past, this is what should be done. If the author of the patch doesn't want to do this - well, ok, so he would have his patch and we probably won't, unless we find other ways to do it - maybe even the worst way possible, by having security problem illuminate the need - but I see no way around it. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227