Re: Suhosin patch disabled by default in Debian php5 builds
Am 03.02.2012 12:46, schrieb Thomas Goirand:
I think you are under estimating how much work Ondrej has done
in the past, and how much *more* work you are asking him to do here,
when the whole PHP team is shouting for help! Yes, adding yet another
build *is more work*, not less.
Well I hope I didn't give the impression that I claim that this work
has to be done... I fully appreciate the work than by all the PHP
maintainers and I can also understand that this means (much) more work
I just tried to point out, that IMHO this is a big loss, and that by
making two packages, one could perhaps at least get rid of some work,
namely by telling users: if you see problems, try the non-suhosin
This is not only about bugs in suhosin, so I don't want to criticise
Stefan here :),... I guess many "bugs" are just misconfigurations (to
tight) of suhosin.
E.g. when I first brought my DAViCal up, I stumbled into the problem
that it requires eval(), which suhosin per default woudln't even forbit,
but I chose the non-default forbid-it.
And of course, it would make all the people happy who rather go for
performance then security; for whathever reasons.
But again, I really see that this means lot of work for the
maintainers, and a good relation ship between them, suhosin upstream and
php upstream is definitely important.