Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57772
Return-Path: <stefan@nopiracy.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 26272 invoked from network); 6 Feb 2012 16:44:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Feb 2012 16:44:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=stefan@nopiracy.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=stefan@nopiracy.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nopiracy.de from 85.214.103.31 cause and error)
X-PHP-List-Original-Sender: stefan@nopiracy.de
X-Host-Fingerprint: 85.214.103.31 h1332034.stratoserver.net Linux 2.6
Received: from [85.214.103.31] ([85.214.103.31:52227] helo=mail.sektioneins.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 86/D6-28299-B63003F4 for <internals@lists.php.net>; Mon, 06 Feb 2012 11:44:28 -0500
Received: from [10.23.17.42] (cable-78-34-71-151.netcologne.de [78.34.71.151])
	by mail.sektioneins.de (Postfix) with ESMTPSA id 68E28189C019;
	Mon,  6 Feb 2012 17:44:24 +0100 (CET)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset=iso-8859-1
In-Reply-To: <4F2FFE2E.4060102@thelounge.net>
Date: Mon, 6 Feb 2012 17:44:23 +0100
Cc: Michael Morris <dmgx.michael@gmail.com>,
 Mailing-List php <internals@lists.php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <8E543478-4396-4007-8F70-14B0262DAA8B@nopiracy.de>
References: <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <A33C7716-F355-455E-863D-5458205C3208@nopiracy.de> <4F2CEA7E.9010906@sugarcrm.com> <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de> <CAEZPtU6eYxWM+hL4RzO_Mpx7GgDe3cxJNbZXbwD2MXdFUPS+aA@mail.gmail.com> <A3FA10BF-D660-4705-BBF0-1AF8F9D27C35@nopiracy.de> <CAEZPtU7qyezW44HJbHS=wz5+2_O4PJywg8=Oafhn1JBLonQmwA@mail.gmail.com> <BB9858AE-5AC9-4602-9D6A-2240E0F497AD@nopiracy.de> <CAEZPtU6BVOchkVrx_iOpsyFkcDXf9bcR+=UKC9Re2QA4v9GPOg@mail.gmail.com> <90A22109-8267-4C6F-B35C-0A3612213915@nopiracy.de> <CAEZPtU43eGqTmXEijpd581ucYY3AVZFs7WQzS5Q4MB0cxD1ajw@mail.gmail.com> <EA673E88-3FC5-4916-8B60-74D32DCE9A1F@nopiracy.de> <CAGovj_Ox+aYBX9qXhRHuxLZDiLDc6vZ6X7OV526pUkd+L9ifbA@mail.gmail.com> <4F2FEE7A.9030309@thelounge.net> <CAGovj_NbiVMZyi2vy5QoLLBUN+bpRvHhbB_0oJY-gakkng9CWA@mail.gmail.com> <4F2FF2A5.7000906@thelounge.net> <CAGovj_M5LaPLZ_9fSmFLbTmOKV7JNkBw9pjVmok2VO7Pr+j18Q@mail.gmail.com> <4F2FFE2E.4060102@thel
 ounge.net>
To: Reindl Harald <h.reindl@thelounge.net>
X-Mailer: Apple Mail (2.1251.1)
Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
From: stefan@nopiracy.de (Stefan Esser)

Hi,

considering that I am the antichrist and eat little children it maybe is =
better to quote Lord Voldemort instead of Harry Potter.
"Don't you turn your back on me Harry Potter, I want you to look at me =
when I kill you, I want to see the light leave your eyes"

Back to serious.

it is nice Reindl that you defend me, but you will not convince people =
like MM.
And you don't have to. Suhosin is not a religion or a Harry Potter =
movie. If he does not trust me, then he is free to not use it.

No one forces anyone to do anything. At least not from my side.
Beside the fact that Suhosin is open source and he can audit it himself, =
or is he not qualified to do it?

I explained on Twitter that I would be pretty stupid to try to hide =
security bugs, because there are enough people out there that would see =
this and use it to clown me.

Regards,
Stefan


Am 06.02.2012 um 17:22 schrieb Reindl Harald:

>=20
>=20
> Am 06.02.2012 17:10, schrieb Michael Morris:
>>=20
>>=20
>> On Mon, Feb 6, 2012 at 10:32 AM, Reindl Harald =
<h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>> wrote:
>>=20
>>   first: do not top-post if you get a reply below
>>=20
>>   second:
>>   in the context of suhosin "when mistakes get made by such a person,
>>   they are hidden away rather than honestly reported" is bullshit
>>   at it's best
>>=20
>>   * look at the disclosure below
>>   * look at the author
>>   * look at the way it was made
>>=20
>>   if only 10% of developers would work like Stefan most software
>>   out there would be much better as it is and was all the last years
>>   and if someone has this attitude and knowledge is see no single
>>   problem and understand fully that he is frustrated
>>   _______________
>>=20
>>   Author: Stefan Esser [stefan.esser[at]sektioneins.de =
<http://sektioneins.de>]
>>=20
>>   Disclosure Timeline:
>>    12. January 2012 - Vulnerability was found during an internal =
audit
>>    14. January 2012 - Vulnerability was fixed in the source code
>>    19. January 2012 - Public Disclosure
>>=20
>>=20
>> This underscores my fears. Public disclosure was only made once the =
fix was composed seven days after
>> discovery, and that's presuming the stated date of discovery is =
honest. As it is an "internal" audit, who knows
>> other than Stefan?  You can take his word.  I won't.
>=20
> if you anwer to a list mail answer to the list and not private  =
damend!
>=20
> would it have been better to make a full disclosure before
> having a fix to help attackers? if this is your opinion
> you are a foolsih idiot, sorry but no other words for that
>=20
> this does even not happen if the one found a exploit notifies the
> vendor of the software and especially not if the one who found IS
> the vendor and the one who will fix it
>=20
> you said "when mistakes get made by such a person, they are hidden =
away
> rather than honestly reported" which is NOT underscored because if
> it would be the truth the disclosure from Stefan would not exist and
> he only had released a new version with a "fixed some small bugs"
> comments and not more
>=20
>=20
>=20
>=20
>=20