Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57715 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 88545 invoked from network); 4 Feb 2012 19:20:31 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 19:20:31 -0000 Authentication-Results: pb1.pair.com smtp.mail=clint@fewbar.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=clint@ubuntu.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fewbar.com from 65.98.207.160 cause and error) X-PHP-List-Original-Sender: clint@fewbar.com X-Host-Fingerprint: 65.98.207.160 xenclint.srihosting.com Received: from [65.98.207.160] ([65.98.207.160:48366] helo=xen.spamaps.org) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 2D/42-05582-DF48D2F4 for ; Sat, 04 Feb 2012 14:20:30 -0500 Received: from fewbar.com (cpe-76-94-215-209.socal.res.rr.com [76.94.215.209]) by xen.spamaps.org (Postfix) with ESMTP id 913001600A5 for ; Sat, 4 Feb 2012 11:20:26 -0800 (PST) Received: by fewbar.com (Postfix, from userid 1000) id EAAD72803AE; Sat, 4 Feb 2012 11:20:24 -0800 (PST) Content-Type: text/plain; charset=UTF-8 To: internals In-reply-to: References: <5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <4F2A9378.70803@thelounge.net> <4F2AC9CA.2070308@sugarcrm.com> <4F2B2ED8.4050900@jimdo.com> <72878E6C-4C17-4D94-9F73-1446769247E1@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> Date: Sat, 04 Feb 2012 11:20:24 -0800 Message-ID: <1328381837-sup-1234@fewbar.com> User-Agent: Sup/git Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds From: clint@ubuntu.com (Clint Byrum) Excerpts from Kiall Mac Innes's message of Sat Feb 04 09:34:44 -0800 2012: > Hi John, > > Ondřej (One of the Debian PHP maintainers) listed 5 or 6 reasons in the > initial email in this thread. > > Honestly, I can't think of a good reason for Debian or anyone else to > include 3rd party patches, whatever the patches purpose, in the default PHP > packages. > There are plenty of reasons to use a 3rd party patch. Operating systems are about supporting an well integrated system. If parts of that system are breaking integration or eating peoples data, the os integrator (Debian, RedHat, CentOS, Ubuntu, or even MS in some cases) must act to support its users. Staying as close as possible to upstream is absolutely critical for efficient operation of an Open Source operating system project like Debian and Ubuntu. However, above efficiency is security. If Suhosin mitigates security vulnerabilities, lowering the urgency with which fixes must be rushed out to users, then carrying it as a patch is, IMO, worth it. I have to sympathize with Ondrej, as I know how much effort he puts into maintaining the PHP packages in Debian. Its pretty demoralizing pushing a bug report upstream when you know its likely to get a response of "please try without Suhosin". I think a more interesting discussion than the current one of "who plays nice with whom" and "why I don't like your processes", is whether anyone other than Stefan would be willing to champion RFCs for all of the Suhosin patch to enter PHP's core, and be turned on by default. We've talked briefly in the Ubuntu project about this latest development, as we generally try to stay as close to Debian's packages as possible. Members of our security team have expressed reservations about following Ondrej's lead here. These are the people who have to work to get vulnerabilities patched in a timely manner across all supported releases of Ubuntu long after upstream has dropped support (currently that includes php 5.2.4 - 5.3.6). So, I think I could probably put myself in as somebody that would support an effort to bring Suhosin's mitigations into PHP core. I don't know that the greater Ubuntu roject could devote many man-hours to it, but perhaps I could write the RFC's and offer resources for testing. Since the patches are already written, it shouldn't be much code work, right? I think this would be something to discuss at the next Ubuntu Developer Summit. I don't believe we'll be disabling Suhosin in the precise release, scheduled to release as 12.04 in April. However, eliminating deltas from Debian and the greater community are always a topic that deserves discussion. I'd invite the PHP community to come and discuss this with us at this free event in Oakland, CA, USA, May 7 - 11. http://uds.ubuntu.com/ You can even request travel sponsorship here: http://summit.ubuntu.com/uds-q/sponsorship (let me know privately if you apply, and I can ask the organizers to give your sponsorship request a closer look)