Hi Clint,
On Sat, Feb 04, 2012 at 11:20:24AM -0800, Clint Byrum wrote:
> I think a more interesting discussion than the current one of "who
> plays nice with whom" and "why I don't like your processes", is whether
> anyone other than Stefan would be willing to champion RFCs for all of
> the Suhosin patch to enter PHP's core, and be turned on by default.
I believe he's stated that he's not interested in doing so himself,
but otherwise I think that yes, integrating those features would be
the optimal end-solution (and I otherwise generally agree with your
assessment).
> We've talked briefly in the Ubuntu project about this latest development,
> as we generally try to stay as close to Debian's packages as possible.
> Members of our security team have expressed reservations about
> following Ondrej's lead here. These are the people who have to work
> to get vulnerabilities patched in a timely manner across all supported
> releases of Ubuntu long after upstream has dropped support (currently
> that includes php 5.2.4 - 5.3.6).
You might want to have those security team members temporarily subscribe
to the debian pkg-php list, or otherwise contact Ondrej or myself to
be CC'd in a follow-up discussion planned for next week (or maybe the
following one). We have mixed feelings ourselves about whether it ought
to be enabled/disabled, but right now tempers seem to be a bit too hot
to accomplish even a reasonable discussion of this. so we've agreed
amongst ourselves to let things settle just a bit first.
And FYI for those who don't follow how things work in Debian, this doesn't
affect our current stable release, only what will be the next one, and
there's easily enough time between now and that release to revert the
decision, if it seems that it's the best thing to do.
sean
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
