FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 02-03-2012, 08:58 AM
Jon Dowland
 
Default Suhosin patch disabled by default in Debian php5 builds

On Thu, Feb 02, 2012 at 03:59:12PM +0100, Stefan Esser wrote:
> So basically all points you bring up are no issues.

The bit about "good relationship with upstream" seems to hold; especially given
the tone of your responses. It's *very* important for Debian to have a good
working relationship with upstream. If our relationship with vanilla PHP is
improving, then good: if the tone of your messages is indicative of our
relationship with the Hardening patch and/or Suhosin patch, well, that adds
further points to Ondřej's argument.

--
Jon Dowland


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120203095817.GB5644@debian">http://lists.debian.org/20120203095817.GB5644@debian
 
Old 02-03-2012, 09:46 AM
Thomas Goirand
 
Default Suhosin patch disabled by default in Debian php5 builds

On 02/03/2012 08:28 AM, Christoph Anton Mitterer wrote:
> The reasons why I've opened #657698 was just, because I though it could
> be possible for the PHP maintainers to reduce their burden, by just
> offering both, packages with suhosin and without.
> If there are bugs in the with suhosin version, they can either redirect
> people to upstream, or the no suhosin version or even (if time is
> available) try to help.
>
I think you are under estimating how much work Ondrej has done already
in the past, and how much *more* work you are asking him to do here,
when the whole PHP team is shouting for help! Yes, adding yet another
build *is more work*, not less.

Ondrej's post is mostly motivated by his lack of time (please, Ondrej,
correct
me if I'm wrong), and the fact that for him, continuing to maintain PHP with
Suhosin is difficult and time consuming (he made few points explaining why).

If Stefan was ready to help (or someone else), both in maintaining the
patch and extension in Debian, and also help with the packaging of PHP
itself, and with bug reports, triaging and such, it would be totally
different.

But as much as I can tell, neither Stefan or anyone else seem to be willing
to make the necessary efforts.

I've bring that up with Stefan, and yet didn't receive a reply from him on
this topic.

Thomas


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4F2BBAF8.1060409@debian.org">http://lists.debian.org/4F2BBAF8.1060409@debian.org
 
Old 02-03-2012, 11:25 AM
Christoph Anton Mitterer
 
Default Suhosin patch disabled by default in Debian php5 builds

Am 03.02.2012 12:46, schrieb Thomas Goirand:
I think you are under estimating how much work Ondrej has done
already

in the past, and how much *more* work you are asking him to do here,
when the whole PHP team is shouting for help! Yes, adding yet another
build *is more work*, not less.


Well I hope I didn't give the impression that I claim that this work
has to be done... I fully appreciate the work than by all the PHP
maintainers and I can also understand that this means (much) more work
for them.
I just tried to point out, that IMHO this is a big loss, and that by
making two packages, one could perhaps at least get rid of some work,
namely by telling users: if you see problems, try the non-suhosin
version first.
This is not only about bugs in suhosin, so I don't want to criticise
Stefan here ,... I guess many "bugs" are just misconfigurations (to
tight) of suhosin.
E.g. when I first brought my DAViCal up, I stumbled into the problem
that it requires eval(), which suhosin per default woudln't even forbit,
but I chose the non-default forbid-it.


And of course, it would make all the people happy who rather go for
performance then security; for whathever reasons.



But again, I really see that this means lot of work for the
maintainers, and a good relation ship between them, suhosin upstream and
php upstream is definitely important.



Cheers,
Chris.


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: e6ce4328cbab1a4631b3dd05408e4ac4@scientia.net">htt p://lists.debian.org/e6ce4328cbab1a4631b3dd05408e4ac4@scientia.net
 
Old 02-04-2012, 08:36 PM
Christoph Anton Mitterer
 
Default Suhosin patch disabled by default in Debian php5 builds

Hey.

So what's the result of this discussion now?!

^^

Chris.
 

Thread Tools




All times are GMT. The time now is 12:55 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org