Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57690 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 2963 invoked from network); 4 Feb 2012 10:05:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 10:05:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 207.97.245.163 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 207.97.245.163 smtp163.iad.emailsrvr.com Linux 2.6 Received: from [207.97.245.163] ([207.97.245.163:59768] helo=smtp163.iad.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CF/3B-08838-9F20D2F4 for ; Sat, 04 Feb 2012 05:05:46 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp56.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id 6E6693D856B; Sat, 4 Feb 2012 05:05:42 -0500 (EST) X-Virus-Scanned: OK Received: by smtp56.relay.iad1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id A20F33D858D; Sat, 4 Feb 2012 05:05:41 -0500 (EST) Message-ID: <4F2D02F4.10404@sugarcrm.com> Date: Sat, 04 Feb 2012 02:05:40 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Stefan Esser CC: Pierre Joye , PHP internals , "security@php.net" References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> <4F2CF2DB.7000605@sugarcrm.com> <86A9EDF4-1EF0-40B9-AFE8-2667BB036F6F@nopiracy.de> In-Reply-To: <86A9EDF4-1EF0-40B9-AFE8-2667BB036F6F@nopiracy.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > Nevertheless PHP 5.3.9 introduced a vulnerability because PHP.net > cloned one of those "we see no need for any features" features. Vulnerability was introduced because of the security fix for a specific problem, that unfortunately was done incorrectly. If this feature were requested before and it were motivated, the fix would appear earlier. As you are not interested in doing this and nobody else did this too, it did not happen. That's all there is to it. It is sad that you seem to frame this as if there's some conflict between PHP as a project and yourself, where PHP project members engage in war against you and at the same time "clone" your ideas. It is very unfortunate way of approaching it and very unproductive one. Your complaints with Pierre notwithstanding - and I will not discuss them, you're both grown ups and can do it without me - I think it would be much more helpful to continue the cooperation on technical matters. I would want it to be better, but it takes two to tango, so if it's not to be, so be it. I just want to make it clear that the invitation is there. And of course we will "clone" any security feature that we think will make overall working with PHP better - if and when we see this is the case. > And BTW you cannot play the: It is Pierre you know him card. The PHP > developers are free to step up and say publicly that Pierre's view is > not that of the developers. But you choose to not to do so. So you > are behind him. If it was not clear that Pierre's views are Pierre's views, and my views are my views, and anybody else's views in PHP project is his views and we don't share a hive mind but instead each has his own mind and thus has independent views and capable of discussing them and hashing out inevitable differences in views and disagreements and we regularly and publicly do it - here's you declaration, this is exactly the case. We're a diverse group of individuals having a lot of differences but a common goal of supporting the PHP project. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227