Daevid Vincent wrote:
-----Original Message-----
From: mike [mailto:mike503@xxxxxxxxx]
Sent: Wednesday, August 22, 2007 1:32 PM
I thing a good FAQ entry would be how this patch fits in
with Suhosin
and what are the comparable/conflicting concepts, are they
compatible
with each other etc.
http://www.hardened-php.net/suhosin/a_feature_list.html
Both systems are liable to appeal to the same sort of
people so it makes
sense to cover this.
What I do not understand is why don't these patches get put instantly
back into the core PHP distribution? So patches against 5.2.3 perhaps
would be in 5.2.4, etc?
IMHO there shouldn't be a hardened PHP project. Their patches should
be put in whenever possible, perhaps during an RCx before a gold build
or something. Any loss of functionality due to them should be a
configuration option to turn on/off but otherwise everyone would
benefit from security, memory leak, and other patches...
- mike
Amen to that... I too don't see why the 'fork' or add on... It should
just be a normal compile time switch, like --with-suhosin or
--with-grasp or something like you do everything else. In fact, I'd
almost be swayed into a --with-out-suhosin and --with-out-grasp options
instead, and make this stuff default so that even newb' installations
would be less susceptible to attack -- they're probably the ones that
need the most security!
That's a completely wrong assumption. PhpBB has had a lot of
vulnerabilities in the past, as has php-nuke and other popular packages.
They've been around for years and not written by newbie's as far as I
know - but I don't have any link to either package I just mentioned.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
