[php-maint] Bug#657698: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Russell Coker russell at coker.com.au
Thu Feb 2 23:45:59 UTC 2012


On Fri, 3 Feb 2012, Russ Allbery <rra at debian.org> wrote:
> For example, Debian could immediately become a much more secure OS by
> enabling SELinux in enforcing mode on all Debian systems.  The reason why
> we don't do this is that currently that tradeoff doesn't make sense; too
> much other stuff doesn't work, too much other effort is required, and
> we're not in a position to enforce that technology, even if it would
> increase security.

SE Linux is supported in critical packages including the kernel, sysvinit, and 
cron.  So any user who wants to use it can just install the SE Linux specific 
packages and rely on the built-in support for SE Linux in important base 
packages.

This compares to the PHP/Suhosin situation where users who want that have no 
option other than to download the source and the Suhosin patch and build their 
own packages.

For the analogy you want to make a better option would be GR Security which is 
not supported in the Debian kernel and won't be supported in the forseeable 
future.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/





More information about the pkg-php-maint mailing list