On Thu, Feb 2, 2012 at 5:10 PM, Stefan Esser <ste...@nopiracy.de> wrote: > Hello Pierre, > >> For one, some were not not ported but features were implemented, with >> the support of their original authors. They are not related to >> Suhosin, like the Blowfish support, which I ported to php with the >> help of Solar Designer. Suhosin uses the same implementation. > > Sorry it makes no difference if a feature was introduced into PHP by taking > code from Suhosin or from someone else. Fact is the feature existed before in > Suhosin.
I corrected your statement, in fact it makes no difference except that giving back to Caesar... > The thing is: I see no problem with the status quo - Suhosin exists and > people can use it - it is like people can choose if they want ASLR, NX, > Fortify Source on their system. I do see a problem and this problem is the reason why I do not think Suhosin is the right way. To me it creates more issues than it solves. I cannot count the amount of people I have met (or myself) having issues using Suhosin while not having them with a vanilla PHP. > I do not have the time or wish to convince the PHP developers to add some > features that most probably after some time will be > copied/clones/reimplemented anyway. But you have time to convince them and the distros to use the patch, there is something wrong here :) > The only problem I see is that some PHP developers negate the fact that > Suhosin increases security of PHP (which was proven again and again for 8 > years, why else clone features) and recommend people to stay away from it: > This is malicious. You miss the point. And please, make yourself a favour, don't consider all PHP developers as being one single entity, it is not. The discussions you could have in the past and what other thinks today are two different things. In other words, move forward, stop to keep looking at the past. > And yes I like the Suhosin codebase separate, because if there is a bug I can > smack the responsible person (myself) over the head bigtime. It is indeed easier for you to work with you alone. Now if I put that from our users base perspective, this argument is totally invalid. > If Suhosin merges with PHP a lot of patches will go into the code and the > work to keep track with every commit that touches some Suhosin feature will > explode. > Just look at security patches like this: > > http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997 > > Yes it is one of the features that is in Suhosin for a long time -> anyway > that security fix is completely broken and noone cares about it. This is exactly where you should help php directly instead of doing what you do now to defend your patch. In the long run (or maybe even mid term), the Suhosin patch will disappear. Cheers, -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
