> -----Original Message----- > From: mike [mailto:mike503@xxxxxxxxx] > Sent: Wednesday, August 22, 2007 6:22 PM > On 8/22/07, Chris <dmagick@xxxxxxxxx> wrote: > > I'm agreeing with the ideas behind Grasp & Suhosin - I'm just > > disagreeing with Daevid's comment about them only being for 'newbie' > > installations. > > oh, most definately. i consider myself a very tight coder - but i'd > prefer to have them in my PHP install as well. i mean, why not? sorry > i misunderstood! i want these in the core PHP source for everyone, > newbies or not! I think you misunderstood what I was saying as well... > Amen to that... I too don't see why the 'fork' or add on... It should > just be a normal compile time switch, like --with-suhosin or > --with-grasp or something like you do everything else. In fact, I'd > almost be swayed into a --with-out-suhosin and > --with-out-grasp options > instead, and make this stuff default so that even newb' installations > would be less susceptible to attack -- they're probably the ones that > need the most security! I was at first suggesting these security hacks be something one has to explicitly enable. Then I thought about it, and thought they should be default "on", and you would have to explicitly turn them "off" if you didn't want them. Related to that was that most newb's wouldn't necessarily know to enable these features on one hand, and they are the types of sites that hackers would target -- low hanging fruit as it were. I work in a security company, and we use LAMP/Ruby almost exclusively. I would (as a professional and expert) ALSO welcome these security hacks on by default. So it's a win-win for everyone. The few extra ms to execute some secure code is well worth it IMHO over the chance of a XSS or script kiddie causing me hours of grief later. So in effect, we're on the same page I think. (p.s. I removed the 'Announcement' portion of the subject, because like other people I'm sure, I color code the subjects based upon certain key words. Announcements are in red for me, and this get's "alarming". ;-) ) D.Vin http://daevid.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
