Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57689
Return-Path: <smalyshev@sugarcrm.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 547 invoked from network); 4 Feb 2012 10:00:22 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Feb 2012 10:00:22 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 207.97.245.163 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@sugarcrm.com
X-Host-Fingerprint: 207.97.245.163 smtp163.iad.emailsrvr.com Linux 2.6
Received: from [207.97.245.163] ([207.97.245.163:36983] helo=smtp163.iad.emailsrvr.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DB/BA-08838-FA10D2F4 for <internals@lists.php.net>; Sat, 04 Feb 2012 05:00:20 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp56.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 036903D855D;
	Sat,  4 Feb 2012 05:00:01 -0500 (EST)
X-Virus-Scanned: OK
Received: by smtp56.relay.iad1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 504353D854B;
	Sat,  4 Feb 2012 05:00:01 -0500 (EST)
Message-ID: <4F2D01A0.3050000@sugarcrm.com>
Date: Sat, 04 Feb 2012 02:00:00 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Stefan Esser <stefan@nopiracy.de>
CC: PHP internals <internals@lists.php.net>, 
 "security@php.net" <security@php.net>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <CAEZPtU5CP3GqUnKsxx51-ieHAdGh=ySvZCWhhAwa0kwuNG6Bhg@mail.gmail.com> <A33C7716-F355-455E-863D-5458205C3208@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> <CAEZPtU6eYxWM+hL4RzO_Mpx7GgDe3cxJNbZXbwD2MXdFUPS+aA@mail.gmail.com> <A3FA10BF-D660-4705-BBF0-1AF8F9D27C35@nopiracy.de> <CAEZPtU7qyezW44HJbHS=wz5+2_O4PJywg8=Oafhn1JBLonQmwA@mail.gmail.com> <BB9858AE-5AC9-4602-9D6A-2240E0F497AD@nopiracy.de>
In-Reply-To: <BB9858AE-5AC9-4602-9D6A-2240E0F497AD@nopiracy.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> This is bad. And there is no point arguing this fact.

Yes, this was bad. Agreed. It was a mistake. Mistakes happen. We fixed
it and hopefully learned from it.

> These are all basic prinicples of security mitigations. Why is there
> a need to write up RFC about these things. They are widely accepted
> by other software vendors/products.

Because there's a difference between principles and applying them in a 
particular manner in particular patch to particular software. The 
responsibility of core PHP developers it to evaluate the specific 
solutions and patches and decide if they are good or not. Regardless of 
how well or badly it was done in specific cases in the past, this is 
what should be done. If the author of the patch doesn't want to do this 
- well, ok, so he would have his patch and we probably won't, unless we 
find other ways to do it - maybe even the worst way possible, by having 
security problem illuminate the need - but I see no way around it.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227