13

It seems Suhosin patches and extends the PHP core as a means to protect users from flaws in the core. It also seems some smart people are using this system. Since it appears to be a good thing, I'm curious as to why its not part of the PHP core to begin with. Anybody know?

Update: Apparently some distributions of Linux also package PHP with Suhosin by default. This seems to be true for Debian (Lenny at least) and Arch Linux. Any other distributions package PHP with Suhosin by default?

fuentesjr
  • 50,920
  • 27
  • 77
  • 81
  • I recognize this is a very old post, but it's still one of the top ranked hits when you search on Google for RHEL/Suhosin related content. As of 2012, Arch Linux and Debian seem to have dumped Suhosin. Sources: https://pierre-schmitz.com/php-5-4-1-in-suhosin-out/ and http://news.php.net/php.internals/57610 – zeitgeist Nov 14 '12 at 05:08

3 Answers3

16

One of the main guys behind Suhosin is Stefan Esser. Stefan seems to have had on ongoing disagreement with the PHP core developers with regard to security over the last few years. He was also one of the guys behind the month of PHP bugs which was intended to draw attention to the (in Stefan's opinion) sad state of PHP core security.

Given that the Suhosin guys have decided to go their own way and work outside the PHP project, I can imagine that:

  • It's possible that Suhosin hasn't been contributed back for inclusion.
  • The Suhosin guys haven't been able to convince the PHP team of it's usefulness, or haven't tried.
  • The core PHP team isn't open to contributions from the guys behind Suhosin.

Some Linux distributions such as Debian (Etch and Lenny), Ubuntu and Arch include the Suhosin patch in their PHP package, so on those systems you'll often find it's turned on by default. Red Hat derived distributions (Red Hat Enterprise, CentOS, Fedora, etc) don't include Suhosin in their PHP packages.

Note: I have no association with Core PHP devs, or Suhosin, but a reasonable guess based on some of the personalities involved.

random
  • 9,774
  • 10
  • 66
  • 83
Jim OHalloran
  • 5,859
  • 2
  • 37
  • 57
1

I would guess the main reasons for the php team not to include Suhosin are:

  • It may break existing (badly written) php code
  • It may break (badly written) php extensions (I remember Zend Optimizer being problematic)
d0k
  • 2,605
  • 19
  • 16
  • The Suhosin patch is binary compatible with the original PHP release, so the Suhosin guys claim full compatibility with all extensions (including Zend Optimizer). In theory, it shouldn't break anything that doesn't already have security issues. – Jim OHalloran Feb 20 '09 at 23:31
  • 1
    @Jim - This is PHP we're talking about. I'm sure there's a whole lot of bad code out there with serious security issues. – Sean McSomething Feb 21 '09 at 00:03
0

I wonder have they contributed their code back into the main php project?

This is usually how new code gets integrated into open-source projects.

Toby Allen
  • 10,997
  • 11
  • 73
  • 124