[php-maint] Suhosin patch yes or no for 5.4

Ondřej Surý ondrej at sury.org
Sun Jan 22 09:59:07 UTC 2012


Hi,

maybe there's another option - keep it enabled/disabled per SAPI.

I was thinking - disable in SAPIs where you can have privilege separation
(e.g. fpm, cgi, cli) and keep it enabled where it's part of web server
(apache2, apache2filter).

O.

On Sun, Jan 22, 2012 at 06:18, sean finney <seanius at debian.org> wrote:
> Hi,
>
> On Thu, Jan 19, 2012 at 06:47:09PM +0100, Ondřej Surý wrote:
>> I would like to start discussion whether we want to apply suhosin patch
>> for 5.4 php series or not.
>
> I have some mixed feelings about it.  my gut is telling me at this point
> we should just drop it given the amount of headaches it's caused us (both
> technical and social w.r.t. both upstream and the patch author).  on top
> of that, support for more "exotic" architectures has always been somewhat
> of a crapshoot, i.e. mysterious bus errors (alignment, usually) on sparc,
> random segfaults when the patch falls out of date with upstream internal
> changes, etc.
>
> If we do drop it and people start screaming, we also have the option of
> shipping the most up to date version of the patch but not included in
> debian/series, and providing some easy way for people to compile it in
> (like what we do with PHP_COMPAT).  Conversely, if we kept it but enough
> people complained we could do the same but with a different default
> value :)
>
>
>        sean



-- 
Ondřej Surý <ondrej at sury.org>



More information about the pkg-php-maint mailing list