[php-maint] Bug#657698: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Russ Allbery rra at debian.org
Thu Feb 2 23:26:40 UTC 2012


Ian Jackson <ijackson at chiark.greenend.org.uk> writes:
> Pierre Joye writes:

>> [...] But so far I failed to see other features in Suhosin that we need
>> to implement without having more cons than pros.

> I know nearly nothing about PHP security and nothing about Suhosin.

> But from what I have read in this thread, I find this kind of argument
> very unconvincing.  Surely the time to drop something like Suhosin would
> be when PHP stops actually having bugs which are mitigated by Suhosin.
> Not when the PHP project claims to have improved its processes so that
> these bugs won't occur any more.

> The decision should be based on the existence or not of the
> vulnerabilities, and whether Suhosin in actual fact helps.

Well, from the Debian perspective, it also needs to be based on the
maintainability of the patch and on the benefit versus complexity
tradeoff.

For example, Debian could immediately become a much more secure OS by
enabling SELinux in enforcing mode on all Debian systems.  The reason why
we don't do this is that currently that tradeoff doesn't make sense; too
much other stuff doesn't work, too much other effort is required, and
we're not in a position to enforce that technology, even if it would
increase security.

I think the maintainers need to make a judgement call about whether the
problems and additional work required to maintain packages with the patch
integrated, for both the Debian maintainers and the PHP user community on
Debian, is justified by the benefits provided by the patch.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>





More information about the pkg-php-maint mailing list