Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57715
Return-Path: <clint@fewbar.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 88545 invoked from network); 4 Feb 2012 19:20:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Feb 2012 19:20:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=clint@fewbar.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=clint@ubuntu.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain fewbar.com from 65.98.207.160 cause and error)
X-PHP-List-Original-Sender: clint@fewbar.com
X-Host-Fingerprint: 65.98.207.160 xenclint.srihosting.com  
Received: from [65.98.207.160] ([65.98.207.160:48366] helo=xen.spamaps.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2D/42-05582-DF48D2F4 for <internals@lists.php.net>; Sat, 04 Feb 2012 14:20:30 -0500
Received: from fewbar.com (cpe-76-94-215-209.socal.res.rr.com [76.94.215.209])
	by xen.spamaps.org (Postfix) with ESMTP id 913001600A5
	for <internals@lists.php.net>; Sat,  4 Feb 2012 11:20:26 -0800 (PST)
Received: by fewbar.com (Postfix, from userid 1000)
	id EAAD72803AE; Sat,  4 Feb 2012 11:20:24 -0800 (PST)
Content-Type: text/plain; charset=UTF-8
To: internals <internals@lists.php.net>
In-reply-to: <CAGSj+Qs5GTp8RGc2HKeJm7N7CexCg21wDEJ8ONEKEKVafoiYuA@mail.gmail.com>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <CAEZPtU5CP3GqUnKsxx51-ieHAdGh=ySvZCWhhAwa0kwuNG6Bhg@mail.gmail.com> <A33C7716-F355-455E-863D-5458205C3208@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <A633CF2D7C7BED41B41F1E64F25507B8069D29BD16@MAILR001.mail.lan> <CAGSj+Qs5GTp8RGc2HKeJm7N7CexCg21wDEJ8ONEKEKVafoiYuA@mail.gmail.com>
Date: Sat, 04 Feb 2012 11:20:24 -0800
Message-ID: <1328381837-sup-1234@fewbar.com>
User-Agent: Sup/git
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: clint@ubuntu.com (Clint Byrum)

Excerpts from Kiall Mac Innes's message of Sat Feb 04 09:34:44 -0800 2012:
> Hi John,
> 
> Ondřej (One of the Debian PHP maintainers) listed 5 or 6 reasons in the
> initial email in this thread.
> 
> Honestly, I can't think of a good reason for Debian or anyone else to
> include 3rd party patches, whatever the patches purpose, in the default PHP
> packages.
> 

There are plenty of reasons to use a 3rd party patch. Operating systems
are about supporting an well integrated system. If parts of that system
are breaking integration or eating peoples data, the os integrator
(Debian, RedHat, CentOS, Ubuntu, or even MS in some cases) must act to
support its users.

Staying as close as possible to upstream is absolutely critical for
efficient operation of an Open Source operating system project like Debian
and Ubuntu. However, above efficiency is security. If Suhosin mitigates
security vulnerabilities, lowering the urgency with which fixes must be
rushed out to users, then carrying it as a patch is, IMO, worth it.

I have to sympathize with Ondrej, as I know how much effort he puts into
maintaining the PHP packages in Debian. Its pretty demoralizing pushing
a bug report upstream when you know its likely to get a response of
"please try without Suhosin".

I think a more interesting discussion than the current one of "who
plays nice with whom" and "why I don't like your processes", is whether
anyone other than Stefan would be willing to champion RFCs for all of
the Suhosin patch to enter PHP's core, and be turned on by default.

We've talked briefly in the Ubuntu project about this latest development,
as we generally try to stay as close to Debian's packages as possible.
Members of our security team have expressed reservations about
following Ondrej's lead here. These are the people who have to work
to get vulnerabilities patched in a timely manner across all supported
releases of Ubuntu long after upstream has dropped support (currently
that includes php 5.2.4 - 5.3.6).

So, I think I could probably put myself in as somebody that would support
an effort to bring Suhosin's mitigations into PHP core. I don't know
that the greater Ubuntu roject could devote many man-hours to it, but
perhaps I could write the RFC's and offer resources for testing. Since
the patches are already written, it shouldn't be much code work, right?

I think this would be something to discuss at the next Ubuntu Developer
Summit. I don't believe we'll be disabling Suhosin in the precise release,
scheduled to release as 12.04 in April. However, eliminating deltas
from Debian and the greater community are always a topic that deserves
discussion. I'd invite the PHP community to come and discuss this with
us at this free event in Oakland, CA, USA, May 7 - 11.

http://uds.ubuntu.com/

You can even request travel sponsorship here:

http://summit.ubuntu.com/uds-q/sponsorship

(let me know privately if you apply, and I can ask the organizers to give
your sponsorship request a closer look)