Am 03.02.2012 12:46, schrieb Thomas Goirand:
I think you are under estimating how much work Ondrej has done alreadyin the past, and how much *more* work you are asking him to do here, when the whole PHP team is shouting for help! Yes, adding yet another build *is more work*, not less.
Well I hope I didn't give the impression that I claim that this work has to be done... I fully appreciate the work than by all the PHP maintainers and I can also understand that this means (much) more work for them. I just tried to point out, that IMHO this is a big loss, and that by making two packages, one could perhaps at least get rid of some work, namely by telling users: if you see problems, try the non-suhosin version first. This is not only about bugs in suhosin, so I don't want to criticise Stefan here :),... I guess many "bugs" are just misconfigurations (to tight) of suhosin. E.g. when I first brought my DAViCal up, I stumbled into the problem that it requires eval(), which suhosin per default woudln't even forbit, but I chose the non-default forbid-it.
And of course, it would make all the people happy who rather go for performance then security; for whathever reasons.
But again, I really see that this means lot of work for the maintainers, and a good relation ship between them, suhosin upstream and php upstream is definitely important.
Cheers, Chris.