[php-maint] [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Pierre Joye pierre.php at gmail.com
Thu Feb 2 13:38:55 UTC 2012


Hi Stefan,

On Thu, Feb 2, 2012 at 2:31 PM, Stefan Esser <stefan at nopiracy.de> wrote:
> Hello Ondřej,
>
>> My personal feeling is that most people see suhosin as "this is about
>> security, thus it must be good". This combined with bad PHP security
>> history makes everybody feel insecure when suhosin was removed, but
>> the real question is if the suhosin is still really helping with PHP
>> security or it is just a burden in the general installations now.
>
> considering the fact that you write this email the very same day that a remote code execution vulnerability in PHP is found that is easy to exploit from remote and is greatly mitigated by the use of Suhosin you look pretty stupid. (In case of usage of Suhosin-Extension in default config, it is even completely killed).

Another very important part of Ondrej's email was:

"Please keep the discussion civil and on the technical level"

And at this point, I may suggest you to keep such posts for yourself.

About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and
will have bugs. This is not really hot news. That does not affect this
discussion.

I, for one, like the idea to finally see distros droping Suhosin and
focus on making PHP itself better and safer instead of distracting us
and our users with custom patches or extensions.

Cheers,
-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org



More information about the pkg-php-maint mailing list