[php-maint] Status of suhosin in Debian

[Ondřej Surý]

+1 from /me on not releasing suhosin in wheezy...

Ondřej Surý

On 11. 6. 2012, at 22:22, Alexander Wirt <formorer at formorer.de> wrote:

> Hi,
> 
> we as the former (and again) maintainers of suhosin are a little bit worried
> about the current state of suhosin in Debian.
> 
> A short introduction about suhosin. Suhosin is a security extension for php
> which contains of two parts: a patch for php and an extension. Suhosin
> extends php with several security features and was (and probably is) very
> important for several users. Unfortunately development slowed down a lot in
> the past and its author is known to have some problems with the php
> community. Therefore the php maintainers decided to drop the patch from the
> 5.3 packaging a few months ago (there were also some bugs and slowdowns with
> the patch) [1]. Arch Linux did the same [2]
> 
> With php 5.4 thing are even more worse, there is no up2date patch and/or
> module. There is some preliminary version on github which is far from being
> released. Unfortunately there there was an uncoordinated upload in response to
> our request for adoption, the uploads introduced a bunch of new bugs and we
> decided to revert the uncoordinated adoption (and invited the upload to our
> team).
> 
> After talking again we think we should release wheezy without suhosin and
> maybe reintroduce it in wheezy+1. In the meanwhile we would recommend to
> remove suhosin from testing (already done) and unstable and upload the
> package to unstable. Releaseteam what do you think?
> 
> I added the php team on Cc to collect more opinions.
> 
> Alex
> 
> [1] <CALjhHG_wYvJn-Z+x9fJUi+dgmZ+Ha9BD54N5VwhneJM4sg1xBQ at mail.gmail.com>
> [2] https://pierre-schmitz.com/php-5-4-1-in-suhosin-out/
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint