Leaving Suhosin would be potentially leaving our users vulnerable, and adding pressure to the security team when new problems are found. The trade off is of course that in 2 years, when upstream PHP drops 5.3, we'll still be backporting security fixes to 12.04's 5.3.10.
The timing of 5.4.0 has been most unfortunate. Had it landed in January, perhaps Suhosin would have been updated in time. At this point, its not looking good, unless a compelling argument for dropping Suhosin is made, or Suhosin releases in the next couple of days. In discussing with the security team, there's a strong desire to ship PHP 5.4.0+Suhosin, but quite a bit of hesitation in shipping 5.4.0 without it. Anyway, Once beta2 freezes later this week, I think its over. Thus far, I think I'd rather have a well known stabilized PHP 5.3 with Suhosin than 5.4.0 without Suhosin. I appreciate the effort everyone has been putting into this, and I still have hope, but time is quite short now. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/948156 Title: Include PHP 5.4 to Ubuntu 12.04 release To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php5/+bug/948156/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs