Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57770
Return-Path: <h.reindl@thelounge.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13445 invoked from network); 6 Feb 2012 16:22:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2012 16:22:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender)
X-PHP-List-Original-Sender: h.reindl@thelounge.net
X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net  
Received: from [91.118.73.15] ([91.118.73.15:54925] helo=mail.thelounge.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/F3-28299-23EFF2F4 for <internals@lists.php.net>; Mon, 06 Feb 2012 11:22:11 -0500
Received: from rh.thelounge.net (rh.thelounge.net [10.0.0.99])
	(using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.thelounge.net (Postfix) with ESMTPSA id 5A0639A;
	Mon,  6 Feb 2012 17:22:08 +0100 (CET)
Message-ID: <4F2FFE2E.4060102@thelounge.net>
Date: Mon, 06 Feb 2012 17:22:06 +0100
Organization: the lounge interactive design
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20120131 Thunderbird/10.0
MIME-Version: 1.0
To: Michael Morris <dmgx.michael@gmail.com>, 
 Mailing-List php <internals@lists.php.net>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <A33C7716-F355-455E-863D-5458205C3208@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> <CAEZPtU6eYxWM+hL4RzO_Mpx7GgDe3cxJNbZXbwD2MXdFUPS+aA@mail.gmail.com> <A3FA10BF-D660-4705-BBF0-1AF8F9D27C35@nopiracy.de> <CAEZPtU7qyezW44HJbHS=wz5+2_O4PJywg8=Oafhn1JBLonQmwA@mail.gmail.com> <BB9858AE-5AC9-4602-9D6A-2240E0F497AD@nopiracy.de> <CAEZPtU6BVOchkVrx_iOpsyFkcDXf9bcR+=UKC9Re2QA4v9GPOg@mail.gmail.com> <90A22109-8267-4C6F-B35C-0A3612213915@nopiracy.de> <CAEZPtU43eGqTmXEijpd581ucYY3AVZFs7WQzS5Q4MB0cxD1ajw@mail.gmail.com> <EA673E88-3FC5-4916-8B60-74D32DCE9A1F@nopiracy.de> <CAGovj_Ox+aYBX9qXhRHuxLZDiLDc6vZ6X7OV526pUkd+L9ifbA@mail.gmail.com> <4F2FEE7A.9030309@thelounge.net> <CAGovj_NbiVMZyi2vy5QoLLBUN+bpRvHhbB_0oJY-gakkng9CWA@mail.gmail.com> <4F2FF2A5.7000906@thelounge.net> <CAGovj_M5LaPLZ_9fSmFLbTmOKV7JNkBw9pjVmok2VO7Pr+j18Q@mail.gmail.com>
In-Reply-To: <CAGovj_M5LaPLZ_9fSmFLbTmOKV7JNkBw9pjVmok2VO7Pr+j18Q@mail.gmail.com>
X-Enigmail-Version: 1.3.5
OpenPGP: id=7F780279;
	url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig77AA5D27BFB4FE540B67FF4C"
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: h.reindl@thelounge.net (Reindl Harald)

--------------enig77AA5D27BFB4FE540B67FF4C
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable



Am 06.02.2012 17:10, schrieb Michael Morris:
>=20
>=20
> On Mon, Feb 6, 2012 at 10:32 AM, Reindl Harald <h.reindl@thelounge.net =
<mailto:h.reindl@thelounge.net>> wrote:
>=20
>     first: do not top-post if you get a reply below
>=20
>     second:
>     in the context of suhosin "when mistakes get made by such a person,=

>     they are hidden away rather than honestly reported" is bullshit
>     at it's best
>=20
>     * look at the disclosure below
>     * look at the author
>     * look at the way it was made
>=20
>     if only 10% of developers would work like Stefan most software
>     out there would be much better as it is and was all the last years
>     and if someone has this attitude and knowledge is see no single
>     problem and understand fully that he is frustrated
>     _______________
>=20
>     Author: Stefan Esser [stefan.esser[at]sektioneins.de <http://sektio=
neins.de>]
>=20
>     Disclosure Timeline:
>      12. January 2012 - Vulnerability was found during an internal audi=
t
>      14. January 2012 - Vulnerability was fixed in the source code
>      19. January 2012 - Public Disclosure
>=20
>=20
> This underscores my fears. Public disclosure was only made once the fix=
 was composed seven days after
> discovery, and that's presuming the stated date of discovery is honest.=
 As it is an "internal" audit, who knows
> other than Stefan?  You can take his word.  I won't.

if you anwer to a list mail answer to the list and not private  damend!

would it have been better to make a full disclosure before
having a fix to help attackers? if this is your opinion
you are a foolsih idiot, sorry but no other words for that

this does even not happen if the one found a exploit notifies the
vendor of the software and especially not if the one who found IS
the vendor and the one who will fix it

you said "when mistakes get made by such a person, they are hidden away
rather than honestly reported" which is NOT underscored because if
it would be the truth the disclosure from Stefan would not exist and
he only had released a new version with a "fixed some small bugs"
comments and not more






--------------enig77AA5D27BFB4FE540B67FF4C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8v/i4ACgkQhmBjz394AnnjfgCePZ2oBOQSJmW2SWyOSd69aRIY
hX4AnRKCa94n8y20OeaFXNVfpxucWJ6o
=W2GD
-----END PGP SIGNATURE-----

--------------enig77AA5D27BFB4FE540B67FF4C--