On 02/02/2012 06:37 PM, Stas Malyshev wrote: > Hi!it sucks major ass, as > >> yes, but suhosin-extension and hardening patch exists since many years >> >> the question from a normal user: >> why are these things not included in the core? > > Because some of these things slow down the code and thus may not be > beneficial to the most users.
So, I respect everyone of you, but please consider: Most users ==== low traffic webhosting stuff, people will never ever notive performance penantly within millisesond intervals. They neither care about security nor about performance. Minority of users ==== facebook, flickr, etsy -> they know what they do and they can scale horizontally and optimize PHP by their own (HINT: HipHop). You, the PHP core team, do not have to care about their website slowing down. They have people that know the advantages and disadvantages of PHP. _YOUR_ responsibility as the provider (READ: provider) of a programming-language is to provide a secure environment in favor a micro-optimized performance. So, sorry guys but this performance argument is simply really BOGUS for 99.99999% of your users. Optimizing bytecodes is cool but securing the interwebs is just more important. Please first provide a default secure config and second you might document the more unsecure setting by saying "you know what you do". Otherwise you are wasting millions of dollars of money of other people. People will leave you, PHP will get more and more hilarious. It doesn't matter if you like Stefan Esser or not. He may not be the the most sensible or nicest guy in the world but he's probably the best php security expert. He might be an asshole, jerk or whatever, BUT he shares his experience and knowledge via CODE (!). He does not (directly) earn money with it. You can ignore his trolling statements and just use his code. It will at most touch your honor. I know it's hard because he personally attacks people and this doesn't help at all, but deal with him. He really made PHP and the interwebs more secure for the last decade. Do not respect him for how (bad) he's communicating things, respect him for what he coded. We are coders. Be humble and get shit done. Really. -- best regards, Soenke Ruempler // @s0enke Development Jimdo GmbH - Pages to the People. Stresemannstr. 375 | 22761 Hamburg | Germany Tel: +49 40 82244999 | Fax: +49 40 82244998 Geschäftsführer: F. Detzner | M. Henze | C. Springub Amtsgericht Hamburg, HRB 101417 mailto: soe...@jimdo.com Create your own JimdoFree-Page at http://www.jimdo.com!
signature.asc
Description: OpenPGP digital signature