[php-maint] Bug#657698:

Christoph Anton Mitterer calestyo at scientia.net
Sun Jan 29 23:01:49 UTC 2012 

On Sun, 2012-01-29 at 22:56 +0100, Ondřej Surý wrote:
> > Were there any troubles in applying the suhosin core patch to PHP?
> It still applies cleanly.
So the effort it made you was in tracing bugs in software that didn't
work with suhosin?
Isn't this rather the business of upstream of those packages (and/or
suhosin itself)?

I guess suhosin.simulation=On doesn't "disable" the core patch (or it's
enforcement), does it?

My idea was just, that if applying the patch uses to work well, than you
could rather enable it per default, and just point those experiencing
problems to rebuild their own packages.


> > So is it "just" a matter of making the php5 source package produce binaries
> > for both -with-suhosin and no-suhosin?
> That's exactly what it is not. You need to support every package you
> produce, check
> the bug reports, you need to communicate with users and with PHP upstream.
Uhm... yeah,.. of course I cannot judge this, if you had that many
troubles with it. :-(


> I am also quite sure that we don't want to build every extension
> twice. So you probably
> need to check if it's possible to build the extension just once and use it with
> with-suhosin and no-suhosin.
That could become a problem. But I don't know, I'm rather a PHP user
(anything else but an expert) and I'd even prefer not having to be a
user.
Having had some bad experiences with security in PHP and PHP
applications I used to be quite happy about suhosin, which is also why I
now try to convince you maintainers to add it back ;)

Anyway... if you think that extensions build for with-suhosin don't work
with a non-suhosin php... then
a) you'd have to break all those php5- packages out there already now,
right?
b) if you "support" building your packages with suhosin then (with that
option) the resulting packages should also somehow break all others
(that have not been rebuilt).


Perhaps you can post an RFH on d-d? I guess there are many guys out
there using php that like suhosin and that perhaps haven't even noticed
yet that is gone.


What about *buntu? They just take Debian's package as is, right?


Cheers,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20120130/41ca497b/attachment-0003.bin>

More information about the pkg-php-maint mailing list