User: Password:
|
|
Subscribe / Log in / New account

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

From:  Stefan Esser <stefan-AT-nopiracy.de>
To:  Stas Malyshev <smalyshev-AT-sugarcrm.com>
Subject:  Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds
Date:  Sat, 4 Feb 2012 09:41:42 +0100
Message-ID:  <9684A843-5A7F-43BB-BFC2-86F34E27EC3B@nopiracy.de>
Cc:  Pierre Joye <pierre.php-AT-gmail.com>, Soenke Ruempler - Jimdo <soenke-AT-jimdo.com>, PHP internals <internals-AT-lists.php.net>, "security-AT-php.net" <security-AT-php.net>, "zigo-AT-debian.org" <zigo-AT-debian.org>
Archive-link:  Article

Good morning,

> Well, here's the answer why Suhosin is not part of PHP.
> 
>> With Suhosin existing I am free to implement as many security
>> mitigations I like and do not have to beg the PHP developers to
>> consider adding something.
> 
> Some people call "begging" collaboration and consider it a normal way to develop software with
teams bigger than one person. Of course, being part of the team is completely voluntary. I think it
is clear that Stefan is not interested 

The Suhosin project was started because I personally considered the state of PHP security not good
enough for MY SERVERS.
And while you don't like it the security history of PHP (and the fact how often a bug never even
affected Suhosin patched PHP) has proven that I was right.

I want to have the best possible protection on MY SERVERS.

The fact that others can use Suhosin is a gift from me. I could keep the project completely to
myself (or let people pay for it). But I did not.
But instead of accepting the gift, people like Pierre run around and tell everybody that people
only have more problems due to Suhosin, that he is happy that it gets dropped, bla bla bla.
This is ironic because Pierre's employer is Microsoft (excuse me if that is not correct anymore).
Microsoft created "recently" Suhosin for Windows. They call it EMET and they actively support it,
not fight it like cancer.

I see NO REASON why I should kill Suhosin and maybe 5 of 100 features/mitigations go into mainline
PHP.
If that happens it is not good enough for me. I want all 100 features/mitigations in MY SERVERS.

A suhosin that is merged to PHP mainline will never provide the same security as an external
solution.
This is not good enough for me.

Also PHP.net demands that I convince them to take feature A, B and F from Suhosin into PHP. I get
ordered to sit down and write RFCs about these features and explain why they need to go inside.
Why should I waste my time like that? I know for sure that whatever will be the outcome of it, it
will be a compromise (if at all) that will not be sufficient for my personal taste.
So in the end from my point of view people have to use Suhosin anyway. Why also waste time merging
5 features of 100 if I can do something more useful in the time and give my Suhosin users 20 more
new mitigations.

Also history has proven that sooner or later PHP.net gets bitten by some vulnerability in the ass
and then they will clone one of the Suhosin features anyway.


Regards,
Stefan Esser
-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php




(Log in to post comments)


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds