On -10/01/37 20:59, Ondřej Surý wrote: > On Sun, Jan 29, 2012 at 22:36, Christoph Anton Mitterer > <cales...@scientia.net> wrote: >> Were there any troubles in applying the suhosin core patch to PHP? > > It still applies cleanly. > >> So is it "just" a matter of making the php5 source package produce binaries >> for both -with-suhosin and no-suhosin? > > That's exactly what it is not. You need to support every package you > produce, check > the bug reports, you need to communicate with users and with PHP upstream. > > I am also quite sure that we don't want to build every extension > twice. So you probably > need to check if it's possible to build the extension just once and use it > with > with-suhosin and no-suhosin. > > O.
Hello, I have just noticed this today when upgrading... I am really sad to see this feature removed from Debian. After reading this bug report I understand that: * Suhosin patch was removed because lack of man-power to maintain it * The main problem maintaining Suhosin were related to bugs from users complaining about broken php applications. So, if suhosin was creating problems for some users.... why not simply ship the configuration of php.ini with "suhosin.simulation = On" by default? http://myeasylinux.wordpress.com/2010/10/25/disable-suhosin/ This would effectively disable suhosin patch (so no more users would complain about suhosin breaking their applications) meanwhile this still would allow the rest of users that are worried about security to enable suhosin by just changing one line in the configuration. Or I am missing something? -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Carlos Alberto Lopez Perez http://neutrino.es Igalia - Free Software Engineering http://www.igalia.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
signature.asc
Description: OpenPGP digital signature
