I'm not on top of PHP ecosystem, but this article makes Suhosin for PHP sound like what anti viruses are for windows - just fix the bloody core instead of patching around its sub-par code quality. On Feb 26, 2012 7:25 PM, "Omer Zak" <w...@zak.co.il> wrote:
> Very interesting and depressing article. > The general problem is one of securing large software packages. > > On one hand, there are optional security patches for the Linux kernel. > Some of them retain their independence for a while. Others get merged > into the stock kernel. > > On the other hand, I don't remember seeing similar problems with Perl or > Python. Somehow, they manage to incorporate all security fixes into the > standard interpreters, so there is no need for patches like PHP's > Suhosin. > > Why is there a difference among PHP, Linux kernel and Perl/Python > handling of security vulnerabilities? > > P.S.: One must remember that the Free Software/Open Source nature of > all those projects allows people to at all develop and apply independent > security patches - something whose absence is overwhelming in ecosystems > like MS-Windows. > > --- Omer > > > On Sun, 2012-02-26 at 04:07 +0200, Baruch Siach wrote: > > Hi Omer, > > > > On Sat, Feb 25, 2012 at 11:21:38PM +0200, Omer Zak wrote: > > > Today, when I upgraded my old PC, which is running Debian Testing > > > (currently Debian Wheezy), I was informed of the following: > > > > > > php5 (5.3.9-4) unstable; urgency=low > > > > > > * The Suhosin patch is now disabled in the default build. > > > > > > If you want to re-enable it again for your installation, you can > > > set the option PHP5_SUHOSIN=yes in debian/rules and recompile PHP. > > > > > > -- Ondřej Surý <ond...@debian.org> Sat, 28 Jan 2012 08:39:36 +0100 > > > > > > Does anyone know why did the packers decide to reverse the previous > > > policy of installing PHP5 with the Suhosin patch by default? > > > > See http://lwn.net/Articles/479716/ for the full story. > > > > baruch > > > > -- > PHP - the language of the Vogons. > My own blog is at http://www.zak.co.il/tddpirate/ > > My opinions, as expressed in this E-mail message, are mine alone. > They do not represent the official policy of any organization with which > I may be affiliated in any way. > WARNING TO SPAMMERS: at http://www.zak.co.il/spamwarning.html > > > _______________________________________________ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
