<p>I'm not on top of PHP ecosystem, but this article makes Suhosin for PHP sound like what anti viruses are for windows - just fix the bloody core instead of patching around its sub-par code quality.</p>
<div class="gmail_quote">On Feb 26, 2012 7:25 PM, "Omer Zak" <<a href="mailto:w1@zak.co.il">w1@zak.co.il</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Very interesting and depressing article.<br>
The general problem is one of securing large software packages.<br>
<br>
On one hand, there are optional security patches for the Linux kernel.<br>
Some of them retain their independence for a while. Others get merged<br>
into the stock kernel.<br>
<br>
On the other hand, I don't remember seeing similar problems with Perl or<br>
Python. Somehow, they manage to incorporate all security fixes into the<br>
standard interpreters, so there is no need for patches like PHP's<br>
Suhosin.<br>
<br>
Why is there a difference among PHP, Linux kernel and Perl/Python<br>
handling of security vulnerabilities?<br>
<br>
P.S.: One must remember that the Free Software/Open Source nature of<br>
all those projects allows people to at all develop and apply independent<br>
security patches - something whose absence is overwhelming in ecosystems<br>
like MS-Windows.<br>
<br>
--- Omer<br>
<br>
<br>
On Sun, 2012-02-26 at 04:07 +0200, Baruch Siach wrote:<br>
> Hi Omer,<br>
><br>
> On Sat, Feb 25, 2012 at 11:21:38PM +0200, Omer Zak wrote:<br>
> > Today, when I upgraded my old PC, which is running Debian Testing<br>
> > (currently Debian Wheezy), I was informed of the following:<br>
> ><br>
> > php5 (5.3.9-4) unstable; urgency=low<br>
> ><br>
> > * The Suhosin patch is now disabled in the default build.<br>
> ><br>
> > If you want to re-enable it again for your installation, you can<br>
> > set the option PHP5_SUHOSIN=yes in debian/rules and recompile PHP.<br>
> ><br>
> > -- Ondřej Surý <<a href="mailto:ondrej@debian.org">ondrej@debian.org</a>> Sat, 28 Jan 2012 08:39:36 +0100<br>
> ><br>
> > Does anyone know why did the packers decide to reverse the previous<br>
> > policy of installing PHP5 with the Suhosin patch by default?<br>
><br>
> See <a href="http://lwn.net/Articles/479716/" target="_blank">http://lwn.net/Articles/479716/</a> for the full story.<br>
><br>
> baruch<br>
><br>
<br>
--<br>
PHP - the language of the Vogons.<br>
My own blog is at <a href="http://www.zak.co.il/tddpirate/" target="_blank">http://www.zak.co.il/tddpirate/</a><br>
<br>
My opinions, as expressed in this E-mail message, are mine alone.<br>
They do not represent the official policy of any organization with which<br>
I may be affiliated in any way.<br>
WARNING TO SPAMMERS: at <a href="http://www.zak.co.il/spamwarning.html" target="_blank">http://www.zak.co.il/spamwarning.html</a><br>
<br>
<br>
_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
</blockquote></div>