On 01/03/2013, at 7:00 AM, Anthony Ferrara <ircmax...@gmail.com> wrote:
> Hey all, > > Based off of the recent discussion around pulling in ZO+ into core, I've > come to the conclusion that we should also pull in XDebug and Suhosin into > core at the same time. > > 1. It has integration issues with ZO+ in that it has to be included in a > specific order (specifically around ini declarations). If it was included > into core, this could be accounted for allowing for more robust behavior. > > 2. Both to be maintained for each new language feature as well as > opcode-caches. This will have the same benefit as integrating ZO+, as it > can be maintained inline with the engine. > > 3. Both stand as a barrier to adoption as many will not run PHP in > development without XDebug, and they won't run it in production without the > Suhosin patch. > > Since both of these are vital to PHP's uptake and adoption of new versions, > I feel it's important to delay 5.5 until we can get both in. I can draft up > the RFC if necessary... > > Anthony Nice :-P Seriously though, what's the deal with the Suhosin patch? I use it because it's included by default on Ubuntu... Didn't know about the huge performance impact. Their website seems to imply that PHP has security holes that have never been patched, and are only closed by using Suhosin. I find that hard to believe. Is PHP really *that* vulnerable without it? The site (http://www.hardened-php.net/suhosin/) is somewhat light on details. Cheers, David