On Thu, Apr 28, 2005 at 10:04:00PM +0200, Hans Spaans wrote: > Is this going to solve the problems? Don't get me wrong, because I love > your goal but I don't believe that what you suggesting right now is > going to solve the problems with PHP at this moment. Maybe its an idea > to get in contact with Rasmus about securing PHP, because he's trying to > get a more secure and sane php4.ini in the upstream releases. Unluckily (...) Well, you've probably missed Bug #274374, which is a step in that direction. If anyone has comments or improvements on the php.ini-paranoid file provided in the php4 package please send them my way, I would love to see that improved. > Beside the fact that your plan has some issues with multiple > installations because some application require that for multiple vhosts. > It may be a better idea to start with PHP itself and ask during > installation of the users wants to install a secure or insecure version > of php4.ini. The same is done with setuid issues for example. Why not ask that to PHP maintainers? The file is already there, it's just a matter of having debconf ask this on the first install and replace the default file. If anyone would be to provide a patch implementing this I don't see why the Debian PHP maintainers would not add it in. Regards Javier
Attachment:
signature.asc
Description: Digital signature