[php-maint] Suhosin patch yes or no for 5.4
Thomas Goirand
zigo at debian.org
Thu Jan 19 19:21:14 UTC 2012
On 01/20/2012 01:47 AM, Ondřej Surý wrote:
> Hi,
>
> I would like to start discussion whether we want to apply suhosin patch
> for 5.4 php series or not.
>
> Just to start here are few reasons:
>
> PROS
> 1. protects from not-yet know bugs (stack protection, etc...)
> 2. applies cleanly and works well
>
> CONS
> 1. suhosin patch seems to be unmaintained (some activity has happened
> in last month though)
> 2. suhosin module seems to be broken (according to it's maintainers)
> 3. no support from PHP upstream
> 4. no support from other major Linux distribution(?)
Can suhosin work with PHP as a CGI?
I only care mainly about php5-cgi (since I run it with sbox, in a
chroot). To me, that's the only reasonable way to run PHP in a shared
environment (eg: multiple sites on the same server), with memory, cpu,
stack, file access limits. If I was to help adding suhosin support to
the 5.4 branch (which I'm not sure I'll have time for), then that'd be a
pre-condition for me.
I think you should as well add for the CONS:
- we all have limited time working on PHP, and we don't want to add more
work than we can handle.
So I'm curious when you say: "applies cleanly". Does this mean that it'd
be very little work? If so, why not...
> And no flame - since I am still only active maintainer atm, I'll make
> the call in the end. If you start flaming I'll just make my decision
> based on the less-flame wins condition.
Someone flaming you would be a total ass, given the time you've spent
maintaining PHP in Debian, and the very little help you've received.
Cheers,
Thomas
More information about the pkg-php-maint
mailing list