On Sun, 2012-01-29 at 22:56 +0100, Ondřej Surý wrote: > > Were there any troubles in applying the suhosin core patch to PHP? > It still applies cleanly. So the effort it made you was in tracing bugs in software that didn't work with suhosin? Isn't this rather the business of upstream of those packages (and/or suhosin itself)?
I guess suhosin.simulation=On doesn't "disable" the core patch (or it's enforcement), does it? My idea was just, that if applying the patch uses to work well, than you could rather enable it per default, and just point those experiencing problems to rebuild their own packages. > > So is it "just" a matter of making the php5 source package produce binaries > > for both -with-suhosin and no-suhosin? > That's exactly what it is not. You need to support every package you > produce, check > the bug reports, you need to communicate with users and with PHP upstream. Uhm... yeah,.. of course I cannot judge this, if you had that many troubles with it. :-( > I am also quite sure that we don't want to build every extension > twice. So you probably > need to check if it's possible to build the extension just once and use it > with > with-suhosin and no-suhosin. That could become a problem. But I don't know, I'm rather a PHP user (anything else but an expert) and I'd even prefer not having to be a user. Having had some bad experiences with security in PHP and PHP applications I used to be quite happy about suhosin, which is also why I now try to convince you maintainers to add it back ;) Anyway... if you think that extensions build for with-suhosin don't work with a non-suhosin php... then a) you'd have to break all those php5- packages out there already now, right? b) if you "support" building your packages with suhosin then (with that option) the resulting packages should also somehow break all others (that have not been rebuilt). Perhaps you can post an RFH on d-d? I guess there are many guys out there using php that like suhosin and that perhaps haven't even noticed yet that is gone. What about *buntu? They just take Debian's package as is, right? Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature

