Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
- To: Pierre Joye <pierre.php@gmail.com>
- Cc: Stefan Esser <stefan@nopiracy.de>, Ondej Sury <ondrej@sury.org>, 657698 <657698@bugs.debian.org>, Christoph Anton Mitterer <calestyo@scientia.net>, Douglas Calvert <dfc@douglasfcalvert.net>, Jesse Molina <jesse@opendreams.net>, Carlos Alberto Lopez Perez <clopez@igalia.com>, PHP internals <internals@lists.php.net>, Debian Developers <debian-devel@lists.debian.org>, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>
- Subject: Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
- From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Date: Thu, 2 Feb 2012 16:19:46 +0000
- Message-id: <[🔎] 20266.47010.249265.253602@chiark.greenend.org.uk>
- In-reply-to: <[🔎] CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com>
- References: <[🔎] CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> <[🔎] 5FB5CFDA-6FE8-4C20-A9B9-7844ED96659B@nopiracy.de> <[🔎] CAEZPtU7jtQTDNpUovxxnDdRunjH9BOdX=WbS8JcGz+5Wkz8ocw@mail.gmail.com> <[🔎] 46104CB6-A868-41C3-B8E1-F1E0AC06BCAB@nopiracy.de> <[🔎] CAEZPtU4oqvSmjU=3Oh3iuRtw5MZLaGTPLWFu-KTtq_ScKsu4Vw@mail.gmail.com>
[resent with 7-bit headers. apologies for any mangled names:]
Pierre Joye writes ("Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds"):
> [...] But so far I failed to see other features in Suhosin that we
> need to implement without having more cons than pros.
I know nearly nothing about PHP security and nothing about Suhosin.
But from what I have read in this thread, I find this kind of argument
very unconvincing. Surely the time to drop something like Suhosin
would be when PHP stops actually having bugs which are mitigated by
Suhosin. Not when the PHP project claims to have improved its
processes so that these bugs won't occur any more.
The decision should be based on the existence or not of the
vulnerabilities, and whether Suhosin in actual fact helps.
Ian.
Reply to: