[php-maint] Bug#657698: Bug#657698:

Christoph Anton Mitterer calestyo at scientia.net
Mon Jan 30 22:44:33 UTC 2012

On Mon, 2012-01-30 at 23:02 +0100, Stefan Esser wrote:
> Yeah it is really amusing that Debian's PHP maintainers spend
> hours/days on writing emails about dropping Suhosin and voting on it.
> Then spend more time on patching their build scripts to no longer ship
> Suhosin by default. Then spend even more time because they broke the
> build by removing Suhosin… Instead of just leaving the patch inside
> which would have eaten no time at all.
Well ok... I guess they have their reasons, even if they just need to
constantly answer people, who report (invalid) bugs, just because they
denied some function via suhosin, which their application needs.

So I guess you don't mean your "criticism" serious :-) ... thei're doing
all this in their spare time and maintaining a big package like PHP is
surely some effort.

> I can understand that you as a Debian user are sad about the fact that
> Debian's PHP maintainers decided that security is not important.
Well one could argue, that if manpower is just not available, it's
really better to drop it, than having it in, but perhaps in a
non-functional state.

> However from my point of view it is actually better if Debian does not
> ship Suhosin by default. That might stop them from spreading nonsense
> like Suhosin is unmaintained/upstream is not responsive etc…
Uhm.. yeah I haven't the big overview, but at least I haven't read any
such claims.

> The Suhosin ABI is identical.
This is good news..

> However the Suhosin patch increases the security of PHP extensions if
> they are compiled against the Suhosin PHP source, because different
> macros are defined so that PHP's internal format string functions are
> used, instead of the system's. This is a protection against format
> string vulnerabilities.
So does this mean that you really have to compile all the extensions
against a suhosin patched PHP in order to gain these (security)
benefits... or are they just transparently used when suhosin core pathc
was applied; or not used, if not?

> No that will never happen, which is a good thing. You can already
> disable/enable several Suhosin-Patch features like the memory canaries
> by just defining different environment variables before starting PHP.
Is this somewhere documented?
btw: I remember some undocumented features of suhosin, IIRC,
suhosin.server.strip is not documented int the website.

> No such message is anywhere on the website. The website only says that
> there are Suhosin packages in Debian, not that it is automatically
> selected.
Ah,.. you're right :)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5677 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20120130/34615e76/attachment-0003.bin>

More information about the pkg-php-maint mailing list