Disabling the Suhosin patch by default in Debian Wheezy (Debian Testing)

Disabling the Suhosin patch by default in Debian Wheezy (Debian Testing)

Omer Zak w1 at zak.co.il
Sun Feb 26 00:09:31 IST 2012 

I asked on the mailing lists after a quick search in
http://bugs.debian.org/ failed to yield results.
Now I made more determined search and found the following:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698

Accoding to it, there are problems with the Suhosin patch and human
resources needed to deal with the problems are missing.

It is a case of you are doomed if you do, and you are doomed if you
don't.
At least people need to be aware of this.


On Sun, 2012-02-26 at 08:53 +1100, Amos Shapira wrote:
> I suspect that digging Debian's usurious tracking site would give you
> more definitive answers than speculations on a general mailing lists.
> 
> On Feb 26, 2012 8:42 AM, "Omer Zak" <w1 at zak.co.il> wrote:
>         Today, when I upgraded my old PC, which is running Debian
>         Testing
>         (currently Debian Wheezy), I was informed of the following:
>         
>         php5 (5.3.9-4) unstable; urgency=low
>         
>          * The Suhosin patch is now disabled in the default build.
>         
>          If you want to re-enable it again for your installation, you
>         can
>          set the option PHP5_SUHOSIN=yes in debian/rules and recompile
>         PHP.
>         
>          -- Ondřej Surý <ondrej at debian.org>  Sat, 28 Jan 2012 08:39:36
>         +0100
>         
>         Does anyone know why did the packers decide to reverse the
>         previous
>         policy of installing PHP5 with the Suhosin patch by default?
>         
>         As far as I know, it would be rather inconvenient for a busy
>         sysadmin to
>         re-enable the Suhosin patch in PHP5 and rebuild it.  Also,
>         what'll
>         happen if a newer version is released for the package
>         (especially due to
>         newly discovered security vulnerabilities)?


-- 
PHP - the language of the Vogons.
My own blog is at http://www.zak.co.il/tddpirate/

My opinions, as expressed in this E-mail message, are mine alone.
They do not represent the official policy of any organization with which
I may be affiliated in any way.
WARNING TO SPAMMERS:  at http://www.zak.co.il/spamwarning.html

More information about the Linux-il mailing list