Am 02.02.2012 19:02, schrieb Stas Malyshev: > Hi! > >> with many hundret active sessions was not a >> single performance problem > > I'm not sure I understand what you are talking about here. Performance is a > scale, > not a trigger. If you lose 10% (totally invented number as an example) that > doesn't > mean you have 10 of "performance problems", it means you sites run 10% > slower, you > need 10% more servers, etc.
as long the cms generates a whole dynamic page from before the first library include until the genereated page is ready in 0.014 seconds while you have some hundret active users including an ajax check and having suhosin enabled at this time where is a SINGLE reason to degrade security by default? for people running on a 10 year old machine fast but unsecure? what the hell - on a public sever security is the first and most important topic and LONG after that performance is one >> without bytecode-cache you have much more problems > What bytecode cache has to do with it? Sounds like a non-sequitur. overall performance i look at the performance of the whole machine and not a single part because the single part does not matter if it leads to successful exploits at last and your whole server is down and owned - what benefit had you after such things happened because it was a little faster? >> security is not beneficial to the most users? > > Please don't do that. I never said that security is not beneficial, and as > you quoted > me you know that and you know that "not beneficial" related to the > performance hit > the mitigation measures cost. performance comes in the priority LONG after security so this is nothing to discuss >> security is THE benefit for ALL users, especially in days where many >> are running crap-code like Joomla/Wordpress with all sorts of plugins >> throwing millions of warning if you run with E_ALL and E_STRCIT > > What the quality of the code of Joomla has to do with anything? Suhosin > patches > would not fix Joomla and most of the issues it helps with are totally > unrelated > to any user code at all. if code is blowing out millions of warnings it is poorly written code and poorly written code is ALWAYS a security problem look at the logs how many bad inputs suhosin is dropping mostly of them are attacks if someone attacks your machine EVERY piece increasing security will make the rsik of a successful intrusion lower, and yes EVERY server is attacked, every day and every night as long it has a public IP
signature.asc
Description: OpenPGP digital signature