On Fri, Mar 1, 2013 at 11:39 AM, David Muir <davidkm...@gmail.com> wrote:
> > On 01/03/2013, at 7:00 AM, Anthony Ferrara <ircmax...@gmail.com> wrote: > > > Hey all, > > > > Based off of the recent discussion around pulling in ZO+ into core, I've > > come to the conclusion that we should also pull in XDebug and Suhosin > into > > core at the same time. > > > > 1. It has integration issues with ZO+ in that it has to be included in a > > specific order (specifically around ini declarations). If it was included > > into core, this could be accounted for allowing for more robust behavior. > > > > 2. Both to be maintained for each new language feature as well as > > opcode-caches. This will have the same benefit as integrating ZO+, as it > > can be maintained inline with the engine. > > > > 3. Both stand as a barrier to adoption as many will not run PHP in > > development without XDebug, and they won't run it in production without > the > > Suhosin patch. > > > > Since both of these are vital to PHP's uptake and adoption of new > versions, > > I feel it's important to delay 5.5 until we can get both in. I can draft > up > > the RFC if necessary... > > > > Anthony > > > Nice :-P > > Seriously though, what's the deal with the Suhosin patch? I use it because > it's included by default on Ubuntu... Didn't know about the huge > performance impact. Their website seems to imply that PHP has security > holes that have never been patched, and are only closed by using Suhosin. I > find that hard to believe. Is PHP really *that* vulnerable without it? The > site (http://www.hardened-php.net/suhosin/) is somewhat light on details. > Any computer system is vulnerable as far as you press the start button and plug in the network cable ;-) Julien