Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57693 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7806 invoked from network); 4 Feb 2012 10:17:59 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 10:17:59 -0000 Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nopiracy.de from 81.169.146.162 cause and error) X-PHP-List-Original-Sender: stefan@nopiracy.de X-Host-Fingerprint: 81.169.146.162 mo-p00-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.162] ([81.169.146.162:22027] helo=mo-p00-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CD/2C-08838-6D50D2F4 for ; Sat, 04 Feb 2012 05:17:58 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; t=1328350675; l=1130; s=domk; d=nopiracy.de; h=To:References:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From: Content-Type:Mime-Version:Subject:X-RZG-CLASS-ID:X-RZG-AUTH; bh=RWzJcwA5HLmXadWsbQVmnvFubOs=; b=cDH6mdi6Kkh2hOcMgd/lvf9W+4iuB9rWkml2nbDvj58TgSaUyL0afW6XQoxkRB9ODOJ 1GkFjonPv44gj8EnbIN5L8eZNQdcz4hsADzTZrOpU/FViOswLw8hWUEWrJ+ZsS41pKaGX w1XrR+g1zs6AfTfZ/edS05dJjLdztbKd18I= X-RZG-AUTH: :OH4FY0Wkd/plSHgwfKFIgHoVYx5SSathkA9OvI+ii+JXGfvQUzm/Ahii7iullNGyVg== X-RZG-CLASS-ID: mo00 Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151]) by smtp.strato.de (klopstock mo61) (RZmta 27.6 DYNA|AUTH) with (AES128-SHA encrypted) ESMTPA id o01e5bo146VYQk ; Sat, 4 Feb 2012 11:17:31 +0100 (MET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 In-Reply-To: Date: Sat, 4 Feb 2012 11:17:31 +0100 Cc: Pierre Joye , Stas Malyshev , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" Content-Transfer-Encoding: quoted-printable Message-ID: <960A6E4B-ABA7-4FDE-80F8-120815E54907@nopiracy.de> References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> To: marius adrian popa X-Mailer: Apple Mail (2.1251.1) Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: stefan@nopiracy.de (Stefan Esser) Hello, > I only say a few words and then i will be silent > I tend to agree with Linus on this one "Security people are insane" Yes and the security community thinks that Linus is insane for his view = on security topics. > Not words : write RFC(docs),patches with sane techincal disscussions > or a pluggable architecture with extensions and rules, something like > is done with LSM http://en.wikipedia.org/wiki/Linux_Security_Modules > or mod_security in apache It is funny that you come to this thread not knowing what you are = talking about and say we should do something like mod_security for = Apache. You obviously have no idea that the majority of Suhosin features is = already inside an extension to PHP. The only stuff not inside that extension are features that need to be in = the core and therefore cannot be in an extension. And these mitigations inside the core are stuff like memory manager = canaries that are considered too much a performance impact by PHP.net. Therefore these patches have to be in a separate patch. Therefore all = the features are in the patch. Regards, Stefan