Comments on: PHP 5.3 Not In Next Version Of Ubuntu

By: Brandon Savage

Brandon Savage — Wed, 19 Aug 2009 19:39:59 +0000

I’ll not be bullied into taking a position I know to be untrue, especially by small minds. I’ll also not restate my arguments, which I’ve already made.

I will say that I use Suhosin on my own server, due to the fact that I make use of WordPress and it’s plugins. I don’t have time to review every single line of WordPress code, nor do I have the desire to do so; instead I rely on the hardening patch to help defend the system.

By: Federico

Federico — Wed, 19 Aug 2009 18:16:42 +0000

Admit it. What you said about developers getting offended is nonsense. Maybe you got offended? Your boss installed the patched?

By: Brandon Savage

Brandon Savage — Wed, 19 Aug 2009 10:49:03 +0000

I don’t “have” to produce anything. When even the makers of the patch admit that some features have a measurable speed impact (http://www.hardened-php.net/hphp/faq.html#general) insisting that I provide evidence when they’ve already admitted it makes you look like a fool. I’m not the one who says that Suhosin has a performance impact, the makers of Suhosin are. Q.E.D.

I’d like to know what on this list (http://www.hardened-php.net/hphp/a_feature_list.html) you think wouldn’t be already handled by making use of already established best practices. Suhosin provides a great set of features to make sure that a noob developer doesn’t run amok on your system, but a seasoned developer will avoid these practices by default.

By: Federico

Federico — Wed, 19 Aug 2009 06:55:47 +0000

You have to produce some benchmarks, otherwise there’s no reason for not using it. What you said about developers getting offended is nonsense.

By: Kevin van Zonneveld

Kevin van Zonneveld — Wed, 12 Aug 2009 10:05:22 +0000

Correct me if I’m wrong. But I interpreted the meeting minutes slightly different.

“Once the suhosin patch is ported to 5.3 and enabled in the build 5.3 can be uploaded to karmic. ”

To me says: there’s still time to do the suhosin patch and then get in in Karmic. Given the fact that there already is an unofficial suhosin patch out there, I’m feeling chances are actually pretty good.

But I could be overlooking something.
Anyway, there’s something going on here as well:
https://bugs.launchpad.net/ubuntu/+source/php5/+bug/394385

By: Brandon Savage

Brandon Savage — Tue, 11 Aug 2009 20:59:57 +0000

I haven’t tried to apply the patch. I’m waiting for the official patch.

By: Vladimir

Vladimir — Tue, 11 Aug 2009 20:40:39 +0000

Sorry, the link is broken. Should be http://blog.adaniels.nl/articles/suhosin-patch-for-php-53/

By: Vladimir

Vladimir — Tue, 11 Aug 2009 20:40:03 +0000

Has anyone tested the modified Suhosin patch from Arnold (http://blog.adaniels.nl/articles/suhosin-patch-for-php-53/)?

By: Federico

Federico — Fri, 07 Aug 2009 16:13:58 +0000

Hi Brandon,

> and that have a serious performance impact on PHP itself (sohosin does impact performance considerably in several areas).

I think it should be optional as well, specially if it has a huge impact in performance, like you said. Do you have any benchmarks of this? Thanks.

By: Stefan Esser

Stefan Esser — Thu, 06 Aug 2009 13:57:56 +0000

Suhosin for PHP 5.3.0 will be released when I am finally at home again next week. Due to some of the new features in the patch it turned out to be a bigger task than expected and therefore it was not possible to release it before I left for conferences and vacation.

One of the new features will be a certain amount of protection against the PHP security holes I presented at Blackhat about. You won’t get this protection in vanilla PHP.

By: Brandon Savage

Brandon Savage — Wed, 05 Aug 2009 23:58:09 +0000

The patch compensates for poor development and security practices, and I’m sure that the core PHP developers feel as though they ought not reward that behavior by including the patch in the core. I, myself, don’t use the patch because of things it interferes with, and I think that if we boil it down a lot of developers would take offense at having to use a security patch that has features they don’t want or need, and that have a serious performance impact on PHP itself (sohosin does impact performance considerably in several areas).

By: Matt

Matt — Wed, 05 Aug 2009 21:21:13 +0000

Why doesn’t the PHP team include sohosin instead of making all the distros patch it in for each release?

By: Fabry

Fabry — Wed, 05 Aug 2009 15:12:55 +0000

PHP 5.3.0 is included in Fedora 12

https://fedoraproject.org/wiki/Fedora_12_Alpha_release_notes

By: Brandon Savage

Brandon Savage — Wed, 05 Aug 2009 15:10:10 +0000

No flame perceived.

One thing you can do is add a –prefix=/my/path and this will install PHP in a location of your choosing. Upon the release of the package, you can simply run a rm -fr /my/path and get rid of PHP.

Running your own server inherently comes with these risks, and I think most people who feel comfortable compiling PHP are also comfortable being systems administrators so far as to manage their own installations of things. Example: I manage my own installation of Subversion, and each time I do an update I have to reinstall some part of it. This creates some headaches, to be sure, but it’s part of having the latest version of things.

By: Giorgio Sironi

Giorgio Sironi — Wed, 05 Aug 2009 15:03:46 +0000

No flame intended, but installing php by yourself in that way (make install instead of building a deb package) will mess up the system and raise problems when a package will be available via apt-get.