Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:66387
Return-Path: <davidkmuir@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 86584 invoked from network); 1 Mar 2013 10:39:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 1 Mar 2013 10:39:55 -0000
Authentication-Results: pb1.pair.com smtp.mail=davidkmuir@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=davidkmuir@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.47 as permitted sender)
X-PHP-List-Original-Sender: davidkmuir@gmail.com
X-Host-Fingerprint: 209.85.220.47 mail-pa0-f47.google.com  
Received: from [209.85.220.47] ([209.85.220.47:52469] helo=mail-pa0-f47.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 57/20-19541-A7580315 for <internals@lists.php.net>; Fri, 01 Mar 2013 05:39:54 -0500
Received: by mail-pa0-f47.google.com with SMTP id bj3so1744645pad.34
        for <internals@lists.php.net>; Fri, 01 Mar 2013 02:39:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=x-received:content-type:mime-version:subject:from:in-reply-to:date
         :cc:message-id:references:to:x-mailer;
        bh=hoirwMnI9KQXLesAjMNl41D7gXavGtJQfysIU58LMA8=;
        b=ZUgdxkyXHbHIjSTWEiHx5iDAeTdAViEB+mbXE7hfK4O6BEx/C2F49kHUr+45HgedG9
         gY3keRrJo+9agMmbM47ELClMgJGdqT8gCPA6D98EBakm8fEDdAvrWb2W9XhMNhUuFPx7
         Do5+JZ17RtnR5PtJp3tO8SEdy14wFuK6gmo3nm1f/FV3QFT2ypASUZ1nHIxGNrV0oSGJ
         zoh/Dj9MdkdeK18p63z38qmSwKidVn/80hSRso+ASYzp6vj+WhxpMggGc/MIQfx+V/q5
         nc05q8l2PTA1Yj3Evni2GDNd4cIQxMJML4GSfCU47SF2k6utNbu2t0gmYzZacL582v1j
         xMHw==
X-Received: by 10.66.155.5 with SMTP id vs5mr17834147pab.30.1362134391831;
        Fri, 01 Mar 2013 02:39:51 -0800 (PST)
Received: from [192.168.0.3] (115-64-165-88.static.tpgi.com.au. [115.64.165.88])
        by mx.google.com with ESMTPS id dx17sm12675727pac.17.2013.03.01.02.39.49
        (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
        Fri, 01 Mar 2013 02:39:50 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_CA731B4B-FC35-48BA-9BFF-9708D1A0E512"
Mime-Version: 1.0 (Mac OS X Mail 6.2 \(1499\))
In-Reply-To: <CAAyV7nGodN0OKUTGY0RQ_P_Za3igkZPXjm1D8r8EUsyZ5XrYeg@mail.gmail.com>
Date: Fri, 1 Mar 2013 21:39:16 +1100
Cc: "internals@lists.php.net" <internals@lists.php.net>
Message-ID: <84542299-5560-453A-B9A6-430FFCDF74EA@gmail.com>
References: <CAAyV7nGodN0OKUTGY0RQ_P_Za3igkZPXjm1D8r8EUsyZ5XrYeg@mail.gmail.com>
To: Anthony Ferrara <ircmaxell@gmail.com>
X-Mailer: Apple Mail (2.1499)
Subject: Re: [PHP-DEV] Include XDebug and Suhosin Patch in Core for 5.5
From: davidkmuir@gmail.com (David Muir)

--Apple-Mail=_CA731B4B-FC35-48BA-9BFF-9708D1A0E512
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=iso-8859-1


On 01/03/2013, at 7:00 AM, Anthony Ferrara <ircmaxell@gmail.com> wrote:

> Hey all,
>=20
> Based off of the recent discussion around pulling in ZO+ into core, =
I've
> come to the conclusion that we should also pull in XDebug and Suhosin =
into
> core at the same time.
>=20
> 1. It has integration issues with ZO+ in that it has to be included in =
a
> specific order (specifically around ini declarations). If it was =
included
> into core, this could be accounted for allowing for more robust =
behavior.
>=20
> 2. Both to be maintained for each new language feature as well as
> opcode-caches. This will have the same benefit as integrating ZO+, as =
it
> can be maintained inline with the engine.
>=20
> 3. Both stand as a barrier to adoption as many will not run PHP in
> development without XDebug, and they won't run it in production =
without the
> Suhosin patch.
>=20
> Since both of these are vital to PHP's uptake and adoption of new =
versions,
> I feel it's important to delay 5.5 until we can get both in. I can =
draft up
> the RFC if necessary...
>=20
> Anthony


Nice :-P=20

Seriously though, what's the deal with the Suhosin patch? I use it =
because it's included by default on Ubuntu... Didn't know about the huge =
performance impact. Their website seems to imply that PHP has security =
holes that have never been patched, and are only closed by using =
Suhosin. I find that hard to believe. Is PHP really *that* vulnerable =
without it? The site (http://www.hardened-php.net/suhosin/) is somewhat =
light on details.

Cheers,
David


--Apple-Mail=_CA731B4B-FC35-48BA-9BFF-9708D1A0E512--