Posted Feb 11, 2012 19:52 UTC (Sat) by bronson (subscriber, #4806)
Parent article: Debian and Suhosin
This sounds like a good decision. It doesn't take many patches before packagers are forking and developing more than they're packaging. That gets confusing for everyone.
Ideally both php-vanilla and php-suhosin packages would be available so end users can choose for themselves. If there's not enough time to maintain two packages then vanilla PHP should go in the repos first.
And, Suhosin or no Suhosin, if you're hosting a popular PHP app then you WILL get owned at some point. With the proper mindset and preparation, the hundreds of serious PHP vulns are not that a big deal.