[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

[resent with 7-bit headers. apologies for any mangled names:]

Pierre Joye writes ("Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds"):
> [...] But so far I failed to see other features in Suhosin that we
> need to implement without having more cons than pros.

I know nearly nothing about PHP security and nothing about Suhosin.

But from what I have read in this thread, I find this kind of argument
very unconvincing.  Surely the time to drop something like Suhosin
would be when PHP stops actually having bugs which are mitigated by
Suhosin.  Not when the PHP project claims to have improved its
processes so that these bugs won't occur any more.  

The decision should be based on the existence or not of the
vulnerabilities, and whether Suhosin in actual fact helps.


Reply to: