[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Suhosin patch disabled by default in Debian php5 builds

Am 03.02.2012 12:46, schrieb Thomas Goirand:
I think you are under estimating how much work Ondrej has done already
in the past, and how much *more* work you are asking him to do here,
when the whole PHP team is shouting for help! Yes, adding yet another
build *is more work*, not less.

Well I hope I didn't give the impression that I claim that this work has to be done... I fully appreciate the work than by all the PHP maintainers and I can also understand that this means (much) more work for them. I just tried to point out, that IMHO this is a big loss, and that by making two packages, one could perhaps at least get rid of some work, namely by telling users: if you see problems, try the non-suhosin version first. This is not only about bugs in suhosin, so I don't want to criticise Stefan here :),... I guess many "bugs" are just misconfigurations (to tight) of suhosin. E.g. when I first brought my DAViCal up, I stumbled into the problem that it requires eval(), which suhosin per default woudln't even forbit, but I chose the non-default forbid-it.

And of course, it would make all the people happy who rather go for performance then security; for whathever reasons.

But again, I really see that this means lot of work for the maintainers, and a good relation ship between them, suhosin upstream and php upstream is definitely important.


Reply to: