Hi, we as the former (and again) maintainers of suhosin are a little bit worried about the current state of suhosin in Debian. A short introduction about suhosin. Suhosin is a security extension for php which contains of two parts: a patch for php and an extension. Suhosin extends php with several security features and was (and probably is) very important for several users. Unfortunately development slowed down a lot in the past and its author is known to have some problems with the php community. Therefore the php maintainers decided to drop the patch from the 5.3 packaging a few months ago (there were also some bugs and slowdowns with the patch) [1]. Arch Linux did the same [2] With php 5.4 thing are even more worse, there is no up2date patch and/or module. There is some preliminary version on github which is far from being released. Unfortunately there there was an uncoordinated upload in response to our request for adoption, the uploads introduced a bunch of new bugs and we decided to revert the uncoordinated adoption (and invited the upload to our team). After talking again we think we should release wheezy without suhosin and maybe reintroduce it in wheezy+1. In the meanwhile we would recommend to remove suhosin from testing (already done) and unstable and upload the package to unstable. Releaseteam what do you think? I added the php team on Cc to collect more opinions. Alex [1] <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ@mail.gmail.com> [2] https://pierre-schmitz.com/php-5-4-1-in-suhosin-out/
Attachment:
pgpfNGYVu41hW.pgp
Description: PGP signature