Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:59177 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64932 invoked from network); 27 Mar 2012 07:01:40 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Mar 2012 07:01:40 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 173.203.6.139 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 173.203.6.139 smtp139.ord.emailsrvr.com Linux 2.6 Received: from [173.203.6.139] ([173.203.6.139:36212] helo=smtp139.ord.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0D/D1-53112-3D5617F4 for ; Tue, 27 Mar 2012 02:01:40 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp27.relay.ord1a.emailsrvr.com (SMTP Server) with ESMTP id 55B31E808B; Tue, 27 Mar 2012 03:01:37 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp27.relay.ord1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id E5CFCE8082; Tue, 27 Mar 2012 03:01:36 -0400 (EDT) Message-ID: <4F7165CF.7020803@sugarcrm.com> Date: Tue, 27 Mar 2012 00:01:35 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2 MIME-Version: 1.0 To: Clint Byrum CC: internals References: <4F189F5F.20109@sugarcrm.com> <4F18A8C5.9020301@phpgangsta.de> <4F18B07C.2010402@sugarcrm.com> <1327019609-sup-8204@fewbar.com> <1332788209-sup-9283@fewbar.com> <1332803360.5855.14.camel@guybrush> <1332829551-sup-6691@fewbar.com> In-Reply-To: <1332829551-sup-6691@fewbar.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] 5.4.0 rc6 and release From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > I think the lesson here is to get the necessary bits from Suhosin into > PHP's core so that users can feel safe when using stock PHP, rather > than needing to wait for the good and generous folks at the hardened > PHP project to catch up. Unfortunately, the good and generous leader of Suhosin project expressed his complete opposition to the cooperation with PHP team on the topic of getting the features into the core. It still can be done, I guess, but I'm not sure if we will have a volunteer to do it, especially given this situation. As for users not feeling safe using stock PHP, I have a feeling you are overestimating the number of users feeling so. Millions of users are running stock PHP and we got no indication that they are suffering from any particular strong feelings of unsafety. If the security team has any specific concerns, of course, they can be discussed. Without doubt, Suhosin adds a layer of protection, but I do not see why this layer is so absolutely crucial that you are unable to release a version of PHP without it. What would happen is that users would just use third-party packages of 5.4 or build their own - with all issues that follow that. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227