Guys sorry to barge in out of the blue, I recently signed up to the internals list after many years as a PHP user (like many many people of course :) ) and after the recent non-too happy releases. I'm looking ever forward to the next major PHP release and since I discovered the RFC's list I even know exactly what I can wait for - or be sad to see dropped . I'm mostly a feature oriented guy, but I recognize the obvious need too handle the many vectors that create security problems, and Suhosin has been part of that fight.
Now, again, coming out of the blue like this means I miss all the finer points, the many contexts that lead intelligent people (in whatever group context) to extreme positions, like we're seeing here, I've seen it before, and I know intelligence and the general will to do good has nothing to do with it. . Anyway, keeping it brief, let me give you a user's perspective here about security and what it means. Technical aspects aside, having an external component mitigate a language (runtime) vulnerability is not scary for the external component, it's scary for the flaw actually being there in the core. Are there good reasons for this? Is it a architectural choice that inevitability leads to said vulnerability ? I'm guessing it isn't, because for the most part I don't think Suhosin changes any of the PHP feature set , so one would say that each of the problems Suhosin fixes could be fixed right at the source of it all. Now, going through RFC's to solve problems (not introduce new features) does seem to bring in bureaucratic work where there isn't a need for one, but I'm also guessing we all know that and that RFC's aren't used outside the feature set context. I also see, despite all this, a place for an external component, almost as I see a RC version, something like a firstline, more agile way to test code and solutions, but in the long run, I think everyone here would agree, something that Suhosin (or others) does better than PHP Core (baring all the finer contexts that I'm missing, like someone trying to actually make money out of their work by having a paid product instead of offering it to the community) would probably be ported into PHP (and out of Suhosin) in the next development iteration. Now, guys, as a user here, really, no finger pointing, no nothing, I don't care much for ego's , not when it means things go slower instead of faster, AS A USER, I would really like for sense to come in somewhere soon, and to see PHP moving forward, faster and better :) , and I'm sure the right people are gathered here to (keep) doing it :) David Ramalho ps: no paternalism meant, first email ever here, a very hot topic, put it in perspective please :) - thanks for reading On Sat, Feb 4, 2012 at 09:32, Pierre Joye <pierre....@gmail.com> wrote: > On Sat, Feb 4, 2012 at 10:25 AM, Stefan Esser <ste...@nopiracy.de> wrote: > > > Grow up Pierre. > > here we go again... failed. next time....
