Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57690
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 207.97.245.163 as permitted sender)
Message-ID: <4F2D02F4.10404@sugarcrm.com>
Date: Sat, 04 Feb 2012 02:05:40 -0800
Organization: SugarCRM
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Stefan Esser <stefan@nopiracy.de>
CC: Pierre Joye <pierre.php@gmail.com>, 
 PHP internals <internals@lists.php.net>,
 "security@php.net" <security@php.net>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <CAEZPtU5CP3GqUnKsxx51-ieHAdGh=ySvZCWhhAwa0kwuNG6Bhg@mail.gmail.com> <A33C7716-F355-455E-863D-5458205C3208@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> <4F2CF2DB.7000605@sugarcrm.com> <86A9EDF4-1EF0-40B9-AFE8-2667BB036F6F@nopiracy.de>
In-Reply-To: <86A9EDF4-1EF0-40B9-AFE8-2667BB036F6F@nopiracy.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: smalyshev@sugarcrm.com (Stas Malyshev)

Hi!

> Nevertheless PHP 5.3.9 introduced a vulnerability because PHP.net
> cloned one of those "we see no need for any features" features.

Vulnerability was introduced because of the security fix for a specific 
problem, that unfortunately was done incorrectly. If this feature were 
requested before and it were motivated, the fix would appear earlier. As 
you are not interested in doing this and nobody else did this too, it 
did not happen. That's all there is to it. It is sad that you seem to 
frame this as if there's some conflict between PHP as a project and 
yourself, where PHP project members engage in war against you and at the 
same time "clone" your ideas. It is very unfortunate way of approaching 
it and very unproductive one. Your complaints with Pierre 
notwithstanding - and I will not discuss them, you're both grown ups and 
can do it without me - I think it would be much more helpful to continue 
the cooperation on technical matters. I would want it to be better, but 
it takes two to tango, so if it's not to be, so be it. I just want to 
make it clear that the invitation is there. And of course we will 
"clone" any security feature that we think will make overall working 
with PHP better - if and when we see this is the case.

> And BTW you cannot play the: It is Pierre you know him card. The PHP
> developers are free to step up and say publicly that Pierre's view is
> not that of the developers. But you choose to not to do so. So you
> are behind him.

If it was not clear that Pierre's views are Pierre's views, and my views 
are my views, and anybody else's views in PHP project is his views and 
we don't share a hive mind but instead each has his own mind and thus 
has independent views and capable of discussing them and hashing out 
inevitable differences in views and disagreements and we regularly and 
publicly do it - here's you declaration, this is exactly the case. We're 
a diverse group of individuals having a lot of differences but a common 
goal of supporting the PHP project.
-- 
Stanislav Malyshev, Software Architect
SugarCRM: http://www.sugarcrm.com/
(408)454-6900 ext. 227