Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:59175
Return-Path: <clint@fewbar.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61024 invoked from network); 27 Mar 2012 06:38:49 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 27 Mar 2012 06:38:49 -0000
Authentication-Results: pb1.pair.com header.from=clint@ubuntu.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=clint@fewbar.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain fewbar.com from 65.98.207.160 cause and error)
X-PHP-List-Original-Sender: clint@fewbar.com
X-Host-Fingerprint: 65.98.207.160 xenclint.srihosting.com  
Received: from [65.98.207.160] ([65.98.207.160:56508] helo=xen.spamaps.org)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FE/01-53112-670617F4 for <internals@lists.php.net>; Tue, 27 Mar 2012 01:38:47 -0500
Received: from fewbar.com (cpe-76-94-217-164.socal.res.rr.com [76.94.217.164])
	by xen.spamaps.org (Postfix) with ESMTP id 643811601C3;
	Mon, 26 Mar 2012 23:38:44 -0700 (PDT)
Received: by fewbar.com (Postfix, from userid 1000)
	id D0777280E1D; Mon, 26 Mar 2012 23:38:43 -0700 (PDT)
Content-Type: text/plain; charset=UTF-8
To: =?utf-8?q?Johannes_Schl=C3=BCter?= <johannes@schlueters.de>
References: <4F189F5F.20109@sugarcrm.com> <4F18A8C5.9020301@phpgangsta.de> <4F18B07C.2010402@sugarcrm.com> <1327019609-sup-8204@fewbar.com> <CAGMw7vEjjp8Cn5COM331OhxS_ggm_YEGpjKTE6Ep0rkFT_ArMw@mail.gmail.com> <1332788209-sup-9283@fewbar.com> <1332803360.5855.14.camel@guybrush>
In-reply-to: <1332803360.5855.14.camel@guybrush>
Cc: =?utf-8?q?Andr=C3=A9_R=C3=B8mcke?= <ar@ez.no>, internals <internals@lists.php.net>
Date: Mon, 26 Mar 2012 23:38:43 -0700
Message-ID: <1332829551-sup-6691@fewbar.com>
User-Agent: Sup/git
Content-Transfer-Encoding: 8bit
Subject: Re: [PHP-DEV] 5.4.0 rc6 and release
From: clint@ubuntu.com (Clint Byrum)

Excerpts from Johannes Schlüter's message of Mon Mar 26 16:09:20 -0700 2012:
> On Mon, 2012-03-26 at 12:00 -0700, Clint Byrum wrote:
> > 
> > Our hands are tied, as the security team still does not feel
> > comfortable shipping a PHP without Suhosin. Perhaps more can be done
> > to convince the world that this is a safe thing to do now, but for
> > now, we're taking the extremely conservative stance and shipping
> > 5.3.10 with the Suhosin patch.
> > 
> > Thanks everyone for chiming in, and especially thanks to Ondrej for
> > pushing hard to get things tested and rebuilt.
> 
> Thinking loud: One could also ship both. Yes this doubles the effort but
> gives users a choice :-)

This simply won't happen in the main archive of Ubuntu. The whole point
of having a version from the archive in an LTS is that it receives security
updates for 5 years, regardless of upstream releasing fixes or not.

If users want something unsupported, an effort can be made to setup a PPA:

https://help.launchpad.net/Packaging/PPA

In fact, Ondrej already went through the trouble of creating one for testing
purposes:

https://launchpad.net/~ondrej/+archive/php5

Ubuntu's paid (by Canonical) security team does not have the resources
to support two versions of anything really. Often times two versions of
something are provided (like python 2.6 and 2.7) during a transition
like we see in PHP right now.  However, one is generally in universe,
which means it is only supported by the community.

I think the lesson here is to get the necessary bits from Suhosin into
PHP's core so that users can feel safe when using stock PHP, rather
than needing to wait for the good and generous folks at the hardened
PHP project to catch up.