|From:||Stefan Esser <stefan-AT-nopiracy.de>|
|To:||Stas Malyshev <smalyshev-AT-sugarcrm.com>|
|Subject:||Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds|
|Date:||Sat, 4 Feb 2012 09:41:42 +0100|
|Cc:||Pierre Joye <pierre.php-AT-gmail.com>, Soenke Ruempler - Jimdo <soenke-AT-jimdo.com>, PHP internals <internals-AT-lists.php.net>, "security-AT-php.net" <security-AT-php.net>, "zigo-AT-debian.org" <zigo-AT-debian.org>|
Good morning, > Well, here's the answer why Suhosin is not part of PHP. > >> With Suhosin existing I am free to implement as many security >> mitigations I like and do not have to beg the PHP developers to >> consider adding something. > > Some people call "begging" collaboration and consider it a normal way to develop software with teams bigger than one person. Of course, being part of the team is completely voluntary. I think it is clear that Stefan is not interested The Suhosin project was started because I personally considered the state of PHP security not good enough for MY SERVERS. And while you don't like it the security history of PHP (and the fact how often a bug never even affected Suhosin patched PHP) has proven that I was right. I want to have the best possible protection on MY SERVERS. The fact that others can use Suhosin is a gift from me. I could keep the project completely to myself (or let people pay for it). But I did not. But instead of accepting the gift, people like Pierre run around and tell everybody that people only have more problems due to Suhosin, that he is happy that it gets dropped, bla bla bla. This is ironic because Pierre's employer is Microsoft (excuse me if that is not correct anymore). Microsoft created "recently" Suhosin for Windows. They call it EMET and they actively support it, not fight it like cancer. I see NO REASON why I should kill Suhosin and maybe 5 of 100 features/mitigations go into mainline PHP. If that happens it is not good enough for me. I want all 100 features/mitigations in MY SERVERS. A suhosin that is merged to PHP mainline will never provide the same security as an external solution. This is not good enough for me. Also PHP.net demands that I convince them to take feature A, B and F from Suhosin into PHP. I get ordered to sit down and write RFCs about these features and explain why they need to go inside. Why should I waste my time like that? I know for sure that whatever will be the outcome of it, it will be a compromise (if at all) that will not be sufficient for my personal taste. So in the end from my point of view people have to use Suhosin anyway. Why also waste time merging 5 features of 100 if I can do something more useful in the time and give my Suhosin users 20 more new mitigations. Also history has proven that sooner or later PHP.net gets bitten by some vulnerability in the ass and then they will clone one of the Suhosin features anyway. Regards, Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds