Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Mon, Feb 6, 2012 at 6:00 PM, Stefan Esser wrote: > Hey Nikita, > >> Full disclosure sure is controversial, but I don't think it is >> regarded as necessarily bad. Just look at the way Stefan disclosed the >> PHP 5.3.9 remote code execution vulnerability: Full disclosure. >> >> So please, again,

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hey Nikita, > Full disclosure sure is controversial, but I don't think it is > regarded as necessarily bad. Just look at the way Stefan disclosed the > PHP 5.3.9 remote code execution vulnerability: Full disclosure. > > So please, again, don't call people names. I guess you are not aware that th

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Mon, Feb 6, 2012 at 11:51 AM, Nikita Popov wrote: > On Mon, Feb 6, 2012 at 5:22 PM, Reindl Harald > wrote: > > if you anwer to a list mail answer to the list and not private damend! > Please, such kind of language is really not necessary. Hitting Reply > instead of Reply All happens to everyb

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Mon, Feb 6, 2012 at 5:22 PM, Reindl Harald wrote: > if you anwer to a list mail answer to the list and not private  damend! Please, such kind of language is really not necessary. Hitting Reply instead of Reply All happens to everybody once in a while. > would it have been better to make a full

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi, considering that I am the antichrist and eat little children it maybe is better to quote Lord Voldemort instead of Harry Potter. "Don't you turn your back on me Harry Potter, I want you to look at me when I kill you, I want to see the light leave your eyes" Back to serious. it is nice Rein

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Mon, 6 Feb 2012, Reindl Harald wrote: > you are a foolsih idiot, sorry but no other words for that This is the last time we're warning you about this sort of language. It does *not* belong on this mailinglist. cheers, Derick -- http://derickrethans.nl | http://xdebug.org Like Xdebug? Consi

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Am 06.02.2012 17:10, schrieb Michael Morris: > > > On Mon, Feb 6, 2012 at 10:32 AM, Reindl Harald > wrote: > > first: do not top-post if you get a reply below > > second: > in the context of suhosin "when mistakes get made by such a person, > th

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

first: do not top-post if you get a reply below second: in the context of suhosin "when mistakes get made by such a person, they are hidden away rather than honestly reported" is bullshit at it's best * look at the disclosure below * look at the author * look at the way it was made if only 10% o

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

I don't think so. My experience with the attitude he has shown is, when mistakes get made by such a person, they are hidden away rather than honestly reported. To paraphrase a line from Harry Potter - brilliant people don't make many mistakes, but the ones they make tend to be large and very damag

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Am 06.02.2012 16:00, schrieb Michael Morris: > Having watched this discussion unfold, I for one intend to discontinue > using Sushonin. I advise others to do the same. The character displayed by > Stefan throughout this thread speaks for itself as to why. if your make technical decisions especi

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Having watched this discussion unfold, I for one intend to discontinue using Sushonin. I advise others to do the same. The character displayed by Stefan throughout this thread speaks for itself as to why. On Sat, Feb 4, 2012 at 9:44 AM, Stefan Esser wrote: > Pierre, > > I think we all know that

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, Feb 4, 2012 at 8:20 PM, Clint Byrum wrote: hi, > So, I think I could probably put myself in as somebody that would support > an effort to bring Suhosin's mitigations into PHP core. I don't know > that the greater Ubuntu roject could devote many man-hours to it, but > perhaps I could write

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi Clint, On Sat, Feb 04, 2012 at 11:20:24AM -0800, Clint Byrum wrote: > I think a more interesting discussion than the current one of "who > plays nice with whom" and "why I don't like your processes", is whether > anyone other than Stefan would be willing to champion RFCs for all of > the Suhosi

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Excerpts from Kiall Mac Innes's message of Sat Feb 04 09:34:44 -0800 2012: > Hi John, > > Ondřej (One of the Debian PHP maintainers) listed 5 or 6 reasons in the > initial email in this thread. > > Honestly, I can't think of a good reason for Debian or anyone else to > include 3rd party patches,

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

+1 Not certain about a better solution but there are other methods of encrypting and decrypting session data. In a recent project I have been tasked with implementing a pdo stored procedure using mysql's aes functionality works well with or without the patch. In a lot of ways I think that is th

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi John, Ondřej (One of the Debian PHP maintainers) listed 5 or 6 reasons in the initial email in this thread. Honestly, I can't think of a good reason for Debian or anyone else to include 3rd party patches, whatever the patches purpose, in the default PHP packages. I would argue that, if peopl

RE: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

OK, All the mud slinging is getting really silly (on *both* sides). There's no need to denigrate others because you don't agree with them. There's no point in arguing about who isn't a team player or who works for which evil multinational corporation. Nobody is attacking anybody else by suggesti

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, 4 Feb 2012 10:25:21 +0100, Stefan Esser wrote: See you do it again. You claim I believe EMET has been created because of Suhosin. I never said that. Although one of the lead developers of EMET compared it himself to it. You know some features of Suhosin are already in PHP and the HTTP res

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Pierre, I think we all know that 90% of your emails consist of twisting other people's words in the hope to make them look bad and redirect from the technical content. Every time in this threat you replied to me, you were not adressing the technical issue but taking some sentences and twisting

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, Feb 4, 2012 at 3:20 PM, Stefan Esser wrote: > Pierre, > >> Why do you need a RFC to propose something to the W3C, or python? Even >> if it is widely adopted already. No need to answer, that's rather >> obvious. > > you still fail to realize that I don't want to propose (anything) to you. >

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Pierre, > Why do you need a RFC to propose something to the W3C, or python? Even > if it is widely adopted already. No need to answer, that's rather > obvious. you still fail to realize that I don't want to propose (anything) to you. If you love writing RFCs then write some. I am perfectly satis

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, Feb 4, 2012 at 10:46 AM, Stefan Esser wrote: > These are all basic prinicples of security mitigations. Why is there a need > to write up RFC about these things. They are widely accepted by other > software vendors/products. Why do you need a RFC to propose something to the W3C, or pyth

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello, > I only say a few words and then i will be silent > I tend to agree with Linus on this one "Security people are insane" Yes and the security community thinks that Linus is insane for his view on security topics. > Not words : write RFC(docs),patches with sane techincal disscussions > or

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi, >> This is bad. And there is no point arguing this fact. > > Yes, this was bad. Agreed. It was a mistake. Mistakes happen. We fixed > it and hopefully learned from it. Yes mistakes do happen to everyone and we all hope to learn from them. And some of us like to buy insurances so that there i

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! Nevertheless PHP 5.3.9 introduced a vulnerability because PHP.net cloned one of those "we see no need for any features" features. Vulnerability was introduced because of the security fix for a specific problem, that unfortunately was done incorrectly. If this feature were requested befor

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! This is bad. And there is no point arguing this fact. Yes, this was bad. Agreed. It was a mistake. Mistakes happen. We fixed it and hopefully learned from it. These are all basic prinicples of security mitigations. Why is there a need to write up RFC about these things. They are widely a

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Guys sorry to barge in out of the blue, I recently signed up to the internals list after many years as a PHP user (like many many people of course :) ) and after the recent non-too happy releases. I'm looking ever forward to the next major PHP release and since I discovered the RFC's list I even k

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, Feb 4, 2012 at 11:32 AM, Pierre Joye wrote: > On Sat, Feb 4, 2012 at 10:25 AM, Stefan Esser wrote: > >> Grow up Pierre. > > here we go again... failed. next time > >> See you do it again. You claim I believe EMET has been created because of >> Suhosin. I never said that. Although one

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, >> See you do it again. You claim I believe EMET has been created because of >> Suhosin. I never said that. Although one of the lead developers of EMET >> compared it himself to it. >> You know some features of Suhosin are already in PHP and the HTTP response >> splitting drama sh

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, Feb 4, 2012 at 10:25 AM, Stefan Esser wrote: > Grow up Pierre. here we go again... failed. next time > See you do it again. You claim I believe EMET has been created because of > Suhosin. I never said that. Although one of the lead developers of EMET > compared it himself to it. >

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, >> This is ironic because Pierre's employer is Microsoft (excuse me if that is >> not correct anymore). > > Again you are totally wrong. I work with them not for. > > And can you please once in this thread (or at all) stop your kiddish > personal attack and finally bring technica

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

hi Stefan, On Sat, Feb 4, 2012 at 9:41 AM, Stefan Esser wrote: > But instead of accepting the gift, people like Pierre run around and tell > everybody that people only have more problems due to Suhosin, that he is > happy that it gets dropped, bla bla bla. Yes, it causes more issues that it s

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Stas, > That's your opinion and you completely entitled to it and I have absolutely > no issue about it. As I have no issue with your preferring to keep Suhosin as > a separate project - it's your code, you decide what to do with it. What I > have an issue with is understanding how, after

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! A suhosin that is merged to PHP mainline will never provide the same security as an external solution. This is not good enough for me. That's your opinion and you completely entitled to it and I have absolutely no issue about it. As I have no issue with your preferring to keep Suhosin as

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi Pierre, > And if security features in Suhosin is so critical, I also why its > users rely on one single person for that, the bus factor is quite > high. everybody is free to join the Suhosin team. People rely on me because they consider me the person knowing most about PHP security. And the

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Good morning, > Well, here's the answer why Suhosin is not part of PHP. > >> With Suhosin existing I am free to implement as many security >> mitigations I like and do not have to beg the PHP developers to >> consider adding something. > > Some people call "begging" collaboration and consider it

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Sat, Feb 4, 2012 at 9:21 AM, Stas Malyshev wrote: > One thing I do not understand though is how it is possible to say this and > then complain about the lack of cooperation from PHP developers. When we > explicitly invite you to participate, and you refuse - it's totally OK, you > have no obli

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! what part of "all of it and I am not going to try to convince you about this" do you not understand? Well, here's the answer why Suhosin is not part of PHP. With Suhosin existing I am free to implement as many security mitigations I like and do not have to beg the PHP developers to consi

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi, >>> http://svn.php.net/viewvc/php/php-src/branches/PHP_5_4/main/SAPI.c?r1=317225&r2=318997 >> >> I'm sure we'd be more than happy to hear why it's broken and hear about >> possible suggested fixes. > > The purpose of the code is to detect all occurences of \r or \n not followed > by whitespac

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Stefan Esser wrote: I am not interested in pushing Suhosin into PHP mainline. Why in hell would I want that. If Suhosin gets absorbed by PHP.net then I would have to start a new project, because there are tons of mitigations I can think up that will be implemented at some point in time and wil

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, > Again, please tell me which part of Suhosin would make sense to have > in the core? With technical explanation or details. Then we can begin > a good discussion and maybe a RFC to get them in. what part of "all of it and I am not going to try to convince you about this" do you no

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, > Please state the facts. I did add Debian and Ubuntu to the discussions > on secur...@php.net. For all the issues you have reported yesterday > (and I do the same for other). I do not know if Ondrej is on the > security debian list, but that's up to them to deal with that. Actually

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

hi Stefan, On Fri, Feb 3, 2012 at 9:24 AM, Stefan Esser wrote: > And it does not only look stupid to write such a mail at that moment it also > shows how disconnected the Debian PHP maintainers are from what is happening > around PHP. > It also shows that the PHP devs seem to not like the Debi

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

hi Stefan, On Fri, Feb 3, 2012 at 9:24 AM, Stefan Esser wrote: > Hello Soenke, > >> I know it's hard because he personally attacks people and this doesn't >> help at all, but deal with him. He really made PHP and the interwebs >> more secure for the last decade. >> >> Do not respect him for how (

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hey, > How does it not look stupid for the "lead" maintainer of PHP in Debian* to > write a "We do not need Suhosin, because I believe there will be no future > Bugs in PHP" mail the very same day various PHP distributions have to put out > updates because of a critical security bug that INFACT

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Soenke, > I know it's hard because he personally attacks people and this doesn't > help at all, but deal with him. He really made PHP and the interwebs > more secure for the last decade. > > Do not respect him for how (bad) he's communicating things, respect him > for what he coded. We are

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hey Florian, > Now that's something I didn't read from Ondřej's mail, but delivering > the packages with and without suhosin would, while being more work, > certainly the most helpful way for users. Then again I'd gladly help if > there's anything of this additional work that can be done. people

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

hi, On Fri, Feb 3, 2012 at 1:48 AM, Soenke Ruempler - Jimdo wrote: > _YOUR_ responsibility as the provider (READ: provider) of a > programming-language is to provide a secure environment in favor a > micro-optimized performance. This is in so many ways wrongly formulated. This is what we do, al

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On 02/02/2012 06:37 PM, Stas Malyshev wrote: > Hi!it sucks major ass, as > >> yes, but suhosin-extension and hardening patch exists since many years >> >> the question from a normal user: >> why are these things not included in the core? > > Because some of these things slow down the code and t

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On 02/03/2012 01:59 AM, Stas Malyshev wrote: > You seem to advocate the approach in which > performance and convenience can and should be sacrificed to security. > It is a matter of opinion Something I don't get here. If there's this issue, and different tastes, why can't a build flag be used, so

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Am 02.02.2012 19:42, schrieb Tomas Kuliavas: > 2012.02.02 19:42 Reindl Harald rašė: >> security is THE benefit for ALL users, especially in days where many >> are running crap-code like Joomla/Wordpress with all sorts of plugins >> throwing millions of warning if you run with E_ALL and E_STRCIT >

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

This is off topic, can we stay on focus please? (and disable these levels if you don't want to see them in your logs) On Thu, Feb 2, 2012 at 7:42 PM, Tomas Kuliavas wrote: > 2012.02.02 19:42 Reindl Harald rašė: >> security is THE benefit for ALL users, especially in days where many >> are runnin

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

2012.02.02 19:42 Reindl Harald rašė: > security is THE benefit for ALL users, especially in days where many > are running crap-code like Joomla/Wordpress with all sorts of plugins > throwing millions of warning if you run with E_ALL and E_STRCIT E_STRICT throws notices on properly written code. It

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Stefan Esser wrote: > And there are many many good reasons, why Suhosin must be external to PHP. > The most obvious one is that the code is clearly separated, so that not > someone of the hundred PHP commiters accidently breaks a safe guard. That's not a justification to keep it as a patch. Safe g

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Am 02.02.2012 19:02, schrieb Stas Malyshev: > Hi! > >> with many hundret active sessions was not a >> single performance problem > > I'm not sure I understand what you are talking about here. Performance is a > scale, > not a trigger. If you lose 10% (totally invented number as an example) th

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! with many hundret active sessions was not a single performance problem I'm not sure I understand what you are talking about here. Performance is a scale, not a trigger. If you lose 10% (totally invented number as an example) that doesn't mean you have 10 of "performance problems", it me

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! I know that for many years you have not understood the idea behind Suhosin, the concept of exploit mitigations. I think we have a difference of approaches here, and it is well known. There's more or less a consensus among PHP dev that to introduce a feature, especially with high user perfo

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Am 02.02.2012 18:37, schrieb Stas Malyshev: >> yes, but suhosin-extension and hardening patch exists since many years >> >> the question from a normal user: >> why are these things not included in the core? > > Because some of these things slow down the code we are using suhosin patch and exte

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

hi Stefan, You do not want that to happen, that's different than we, as a project, not willing to see what could be done and help you or anyone to get that done. The RFC process also makes that possible in a very easy and open way. On Thu, Feb 2, 2012 at 5:40 PM, Stefan Esser wrote: > Hello Pier

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi! yes, but suhosin-extension and hardening patch exists since many years the question from a normal user: why are these things not included in the core? Because some of these things slow down the code and thus may not be beneficial to the most users. especially the option to disable fun

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, > This is exactly where you should help php directly instead of doing > what you do now to defend your patch. In the long run (or maybe even > mid term), the Suhosin patch will disappear. I seriously doubt that. The PHP developers will never ever merge all features into the PHP co

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Derick, >> * and most probably many more that I do not know from the top of my >> head (this are already 9 features and Suhosin/HPHP exists since 2004 = >> 8 years). > > Lots of stuff in PHP was also "stolen" from Xdebug, but I am not whining > about that as the goal is (and has always

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Thu, 2 Feb 2012, Stefan Esser wrote: > Sorry it makes no difference if a feature was introduced into PHP by > taking code from Suhosin or from someone else. Fact is the feature > existed before in Suhosin. > > * GLOBALS overwrite protection > * max_file_uploads > * max_input_vars > * crypt()

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Thu, Feb 2, 2012 at 5:10 PM, Stefan Esser wrote: > Hello Pierre, > >> For one, some were not not ported but features were implemented, with >> the support of their original authors. They are not related to >> Suhosin, like the Blowfish support, which I ported to php with the >> help of Solar De

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, > For one, some were not not ported but features were implemented, with > the support of their original authors. They are not related to > Suhosin, like the Blowfish support, which I ported to php with the > help of Solar Designer. Suhosin uses the same implementation. Sorry it make

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

On Thu, Feb 2, 2012 at 4:49 PM, Pierre Joye wrote: > hi Stefan, > > On Thu, Feb 2, 2012 at 3:14 PM, Stefan Esser wrote: > > Hello Pierre, > > > >> About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and > >> will have bugs. This is not really hot news. That does not affect this > >

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

hi Stefan, On Thu, Feb 2, 2012 at 3:14 PM, Stefan Esser wrote: > Hello Pierre, > >> About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and >> will have bugs. This is not really hot news. That does not affect this >> discussion. > > I know that for many years you have not understood

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Ohh btw… > I have walked the bug list for 5.3 mentioning suhosin[2] to actually > at least partially support what I have just said. I have found few > bugs where suhosin was causing a problems ([3],[4]) and a handful of > bugs with "have suhosin, cannot help". I know this isn't (and can't > be) a

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Pierre, > About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and > will have bugs. This is not really hot news. That does not affect this > discussion. I know that for many years you have not understood the idea behind Suhosin, the concept of exploit mitigations. The only r

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Am 02.02.2012 14:38, schrieb Pierre Joye: > About the current flaw affecting 5.3/4, PHP and suhosin had bugs, and > will have bugs. This is not really hot news. That does not affect this > discussion. > > I, for one, like the idea to finally see distros droping Suhosin and > focus on making PHP it

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hi Stefan, On Thu, Feb 2, 2012 at 2:31 PM, Stefan Esser wrote: > Hello Ondřej, > >> My personal feeling is that most people see suhosin as "this is about >> security, thus it must be good". This combined with bad PHP security >> history makes everybody feel insecure when suhosin was removed, but

Re: [PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Hello Ondřej, > My personal feeling is that most people see suhosin as "this is about > security, thus it must be good". This combined with bad PHP security > history makes everybody feel insecure when suhosin was removed, but > the real question is if the suhosin is still really helping with PHP

[PHP-DEV] Suhosin patch disabled by default in Debian php5 builds

Crossposting to php-internals too since those are the guys who receive the bugreports... Debian unstable packages has recently disabled suhosin patch by default (it is still kept as optional part which could be enabled at compile time). I am trying to summarize the reasons why I have decided to d