Excerpts from Kiall Mac Innes's message of Sat Feb 04 09:34:44 -0800 2012: > Hi John, > > Ondřej (One of the Debian PHP maintainers) listed 5 or 6 reasons in the > initial email in this thread. > > Honestly, I can't think of a good reason for Debian or anyone else to > include 3rd party patches, whatever the patches purpose, in the default PHP > packages. >
There are plenty of reasons to use a 3rd party patch. Operating systems are about supporting an well integrated system. If parts of that system are breaking integration or eating peoples data, the os integrator (Debian, RedHat, CentOS, Ubuntu, or even MS in some cases) must act to support its users. Staying as close as possible to upstream is absolutely critical for efficient operation of an Open Source operating system project like Debian and Ubuntu. However, above efficiency is security. If Suhosin mitigates security vulnerabilities, lowering the urgency with which fixes must be rushed out to users, then carrying it as a patch is, IMO, worth it. I have to sympathize with Ondrej, as I know how much effort he puts into maintaining the PHP packages in Debian. Its pretty demoralizing pushing a bug report upstream when you know its likely to get a response of "please try without Suhosin". I think a more interesting discussion than the current one of "who plays nice with whom" and "why I don't like your processes", is whether anyone other than Stefan would be willing to champion RFCs for all of the Suhosin patch to enter PHP's core, and be turned on by default. We've talked briefly in the Ubuntu project about this latest development, as we generally try to stay as close to Debian's packages as possible. Members of our security team have expressed reservations about following Ondrej's lead here. These are the people who have to work to get vulnerabilities patched in a timely manner across all supported releases of Ubuntu long after upstream has dropped support (currently that includes php 5.2.4 - 5.3.6). So, I think I could probably put myself in as somebody that would support an effort to bring Suhosin's mitigations into PHP core. I don't know that the greater Ubuntu roject could devote many man-hours to it, but perhaps I could write the RFC's and offer resources for testing. Since the patches are already written, it shouldn't be much code work, right? I think this would be something to discuss at the next Ubuntu Developer Summit. I don't believe we'll be disabling Suhosin in the precise release, scheduled to release as 12.04 in April. However, eliminating deltas from Debian and the greater community are always a topic that deserves discussion. I'd invite the PHP community to come and discuss this with us at this free event in Oakland, CA, USA, May 7 - 11. http://uds.ubuntu.com/ You can even request travel sponsorship here: http://summit.ubuntu.com/uds-q/sponsorship (let me know privately if you apply, and I can ask the organizers to give your sponsorship request a closer look) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php