[php-maint] Status of suhosin in Debian

Alexander Wirt formorer at formorer.de
Mon Jun 11 20:22:41 UTC 2012


Hi,

we as the former (and again) maintainers of suhosin are a little bit worried
about the current state of suhosin in Debian.

A short introduction about suhosin. Suhosin is a security extension for php
which contains of two parts: a patch for php and an extension. Suhosin
extends php with several security features and was (and probably is) very
important for several users. Unfortunately development slowed down a lot in
the past and its author is known to have some problems with the php
community. Therefore the php maintainers decided to drop the patch from the
5.3 packaging a few months ago (there were also some bugs and slowdowns with
the patch) [1]. Arch Linux did the same [2]

With php 5.4 thing are even more worse, there is no up2date patch and/or
module. There is some preliminary version on github which is far from being
released. Unfortunately there there was an uncoordinated upload in response to
our request for adoption, the uploads introduced a bunch of new bugs and we
decided to revert the uncoordinated adoption (and invited the upload to our
team).

After talking again we think we should release wheezy without suhosin and
maybe reintroduce it in wheezy+1. In the meanwhile we would recommend to
remove suhosin from testing (already done) and unstable and upload the
package to unstable. Releaseteam what do you think?

I added the php team on Cc to collect more opinions.

Alex

[1] <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ at mail.gmail.com>
[2] https://pierre-schmitz.com/php-5-4-1-in-suhosin-out/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20120611/bb14974f/attachment.pgp>


More information about the pkg-php-maint mailing list