On 01/31/2012 06:02 AM, Stefan Esser wrote: > I can understand that you as a Debian user are sad about > the fact that Debian's PHP maintainers decided that > security is not important. > However from my point of view it is actually better if > Debian does not ship Suhosin by default. That might stop > them from spreading nonsense like Suhosin is > unmaintained/upstream is not responsive etc
Please calm down. This is *not* the way to make your point. I might have been the one who used the bad wording "unresponsive" (based on what others wrote), if so, then sorry, you've just proven me wrong. But if you continue with this tone, the only thing that is going to happen is that instead of saying that upstream is unresponsive, we'll say: "upstream isn't friendly and replies aggressively on the bug tracker" You've proven that you are responsive, that's good, and can potentially reverse the decision if you are ready to help for the packaging. Don't waste the opportunity! The main reason which this discussion was started was *the lack of man power*, so if you can do the work... Also, what you might want to do to avoid the same issue again, would be registering this list and reading it often, don't you think? By the way, I've been asking here, and I didn't get a satisfying answer, so I'd like to ask you as well. I'd be very happy to have your opinion as upstream author. Do you think that suhosin is still valuable when running PHP as CGI-BIN, in a chroot? If so, can you explain why? Thomas Goirand (zigo) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
