Hi! > I think the lesson here is to get the necessary bits from Suhosin into > PHP's core so that users can feel safe when using stock PHP, rather > than needing to wait for the good and generous folks at the hardened > PHP project to catch up.
Unfortunately, the good and generous leader of Suhosin project expressed his complete opposition to the cooperation with PHP team on the topic of getting the features into the core. It still can be done, I guess, but I'm not sure if we will have a volunteer to do it, especially given this situation. As for users not feeling safe using stock PHP, I have a feeling you are overestimating the number of users feeling so. Millions of users are running stock PHP and we got no indication that they are suffering from any particular strong feelings of unsafety. If the security team has any specific concerns, of course, they can be discussed. Without doubt, Suhosin adds a layer of protection, but I do not see why this layer is so absolutely crucial that you are unable to release a version of PHP without it. What would happen is that users would just use third-party packages of 5.4 or build their own - with all issues that follow that. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
