Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:66388 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 92318 invoked from network); 1 Mar 2013 11:02:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Mar 2013 11:02:10 -0000 Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.177 as permitted sender) X-PHP-List-Original-Sender: julienpauli@gmail.com X-Host-Fingerprint: 209.85.220.177 mail-vc0-f177.google.com Received: from [209.85.220.177] ([209.85.220.177:50882] helo=mail-vc0-f177.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 10/51-19541-1BA80315 for ; Fri, 01 Mar 2013 06:02:09 -0500 Received: by mail-vc0-f177.google.com with SMTP id m18so1853557vcm.8 for ; Fri, 01 Mar 2013 03:02:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=bHaFodjRI9k9XdHsTs2uW4CI11Ox+k66stWSxgj/yU4=; b=Wa5OBxlrhmf6PCPQdmGZu3yLzDs0fiuwinGYENwhYqGFKIylID3Y4OAFbNW3xow8ce 6Ag/Tr4hKHFOJNAS9m4p+x6LK8SkKHEhq/pgtegmw2CPhZGnEtlvC32vrhoZws3UgxIY Ihs3p0UgqrpbLFOl+pHz1vSzxTdUE4sUafGD1bLFoJbLMRD4JKZNUaEzDXuxsWLiXJ1c nckcREeuWvF0+QYddMrdobeqZMGFewztzTLMJ0QUfKQUryrjBXxr1W6+jpJyCA35Me/I Qr0z3aJd1Z7B3OCksti2Kx755h5ilAcvpMkrhmgA+u1I7eLOv7o7RtssaBkEAp75wD2Q dPlg== X-Received: by 10.52.24.133 with SMTP id u5mr3437412vdf.49.1362135726323; Fri, 01 Mar 2013 03:02:06 -0800 (PST) MIME-Version: 1.0 Sender: julienpauli@gmail.com Received: by 10.220.140.132 with HTTP; Fri, 1 Mar 2013 03:01:26 -0800 (PST) In-Reply-To: <84542299-5560-453A-B9A6-430FFCDF74EA@gmail.com> References: <84542299-5560-453A-B9A6-430FFCDF74EA@gmail.com> Date: Fri, 1 Mar 2013 12:01:26 +0100 X-Google-Sender-Auth: aERkdN2SYNGtqT55UzFXqQJj6gU Message-ID: To: David Muir Cc: Anthony Ferrara , "internals@lists.php.net" Content-Type: multipart/alternative; boundary=20cf307f3aa41ab1f004d6daf06b Subject: Re: [PHP-DEV] Include XDebug and Suhosin Patch in Core for 5.5 From: jpauli@php.net (Julien Pauli) --20cf307f3aa41ab1f004d6daf06b Content-Type: text/plain; charset=ISO-8859-1 On Fri, Mar 1, 2013 at 11:39 AM, David Muir wrote: > > On 01/03/2013, at 7:00 AM, Anthony Ferrara wrote: > > > Hey all, > > > > Based off of the recent discussion around pulling in ZO+ into core, I've > > come to the conclusion that we should also pull in XDebug and Suhosin > into > > core at the same time. > > > > 1. It has integration issues with ZO+ in that it has to be included in a > > specific order (specifically around ini declarations). If it was included > > into core, this could be accounted for allowing for more robust behavior. > > > > 2. Both to be maintained for each new language feature as well as > > opcode-caches. This will have the same benefit as integrating ZO+, as it > > can be maintained inline with the engine. > > > > 3. Both stand as a barrier to adoption as many will not run PHP in > > development without XDebug, and they won't run it in production without > the > > Suhosin patch. > > > > Since both of these are vital to PHP's uptake and adoption of new > versions, > > I feel it's important to delay 5.5 until we can get both in. I can draft > up > > the RFC if necessary... > > > > Anthony > > > Nice :-P > > Seriously though, what's the deal with the Suhosin patch? I use it because > it's included by default on Ubuntu... Didn't know about the huge > performance impact. Their website seems to imply that PHP has security > holes that have never been patched, and are only closed by using Suhosin. I > find that hard to believe. Is PHP really *that* vulnerable without it? The > site (http://www.hardened-php.net/suhosin/) is somewhat light on details. > Any computer system is vulnerable as far as you press the start button and plug in the network cable ;-) Julien --20cf307f3aa41ab1f004d6daf06b--