Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57709 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 72174 invoked from network); 4 Feb 2012 18:11:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 18:11:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=jason.gerfen@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=jason.gerfen@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.42 as permitted sender) X-PHP-List-Original-Sender: jason.gerfen@gmail.com X-Host-Fingerprint: 209.85.210.42 mail-pz0-f42.google.com Received: from [209.85.210.42] ([209.85.210.42:33066] helo=mail-pz0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 55/00-05582-BD47D2F4 for ; Sat, 04 Feb 2012 13:11:40 -0500 Received: by dang27 with SMTP id g27so4323402dan.29 for ; Sat, 04 Feb 2012 10:11:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=references:in-reply-to:mime-version:content-transfer-encoding :content-type:message-id:cc:x-mailer:from:subject:date:to; bh=F3bdrJkEB2OQf19CGdlbIYOcuiifmzQ+PBHuNFH5kME=; b=kjj+c6c2NsXPTN7O4J5aTs4y3h2MxaP+OMmjQA7Wwl0TmATL3095z5IvFsxBqFrl30 WaFcz1Be3wlayfv2iod/qEdxpAwOA808e7iemnShRKjsppghegRZ20pogGJMPmrZrN9K t9IuQi1Drq+bDl9ExSj30ZYKOiPhx0KwRIrqM= Received: by 10.68.195.73 with SMTP id ic9mr30133308pbc.72.1328379096456; Sat, 04 Feb 2012 10:11:36 -0800 (PST) Received: from [192.168.1.102] (c-67-186-224-109.hsd1.ut.comcast.net. [67.186.224.109]) by mx.google.com with ESMTPS id kx17sm23328182pbb.19.2012.02.04.10.11.32 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 04 Feb 2012 10:11:34 -0800 (PST) References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> In-Reply-To: Mime-Version: 1.0 (1.0) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-ID: <20ECA5EA-A653-499B-95E4-F31E094970A2@gmail.com> Cc: Stas Malyshev , Stefan Esser , Pierre Joye , Soenke Ruempler - Jimdo , PHP internals , "security@php.net" , "zigo@debian.org" X-Mailer: iPhone Mail (9A405) Date: Sat, 4 Feb 2012 11:11:28 -0700 To: John Crenshaw Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: jason.gerfen@gmail.com ("jason.gerfen@gmail.com") +1 Not certain about a better solution but there are other methods of encryptin= g and decrypting session data. In a recent project I have been tasked with i= mplementing a pdo stored procedure using mysql's aes functionality works wel= l with or without the patch. In a lot of ways I think that is the benefit of= any programming language. The tools exist, implement them right? Jas On Feb 4, 2012, at 10:21 AM, John Crenshaw wrote:= > OK, All the mud slinging is getting really silly (on *both* sides). There'= s no need to denigrate others because you don't agree with them. There's no p= oint in arguing about who isn't a team player or who works for which evil mu= ltinational corporation. Nobody is attacking anybody else by suggesting that= Suhosin is or is not critical, and none of that really matters anyway. >=20 > I may have missed something, but has anyone asked *why* the patch was disa= bled? I think I could make a good guess, but I haven't seen even the slighte= st hint of the actual reasons in this email chain (though I could easily hav= e missed it entirely). >=20 > IMO we should try to focus on: > 1. What are the pros vs. cons of enabling the Suhosin patch by default? > 2. Why did the Debian team opt to disable it? > 3. Are there better solutions that should be considered and recommended? >=20 > John Crenshaw > Priacta, Inc. >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20