Debian Bug report logs - #471336
libapache2-mod-php5: please consider providing debugging version without suhosin

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-php5: please consider providing debugging version without suhosin

Date: Mon, 17 Mar 2008 14:19:34 +0100

Package: libapache2-mod-php5
Version: 5.2.5-3
Severity: wishlist

Hi,

some authors of PHP applications claim that the suohsin patch might be
the cause for applications misbehavior. For debugging, it would be
good to have a PHP package version without suhosin patch applied.

Please consider generating such a package during your package build
process. Or, should this be impractical, document how to build a PHP
without suhosin from the Debian sources. This shuold be ideally be
controllable from a variable set in debian/rules so that re-building
is easy.

Thanks for considering this.

Greetings
Marc

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.24.3-scyw00225 (PREEMPT)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-php5 depends on:
ii  apache2-mpm-prefork   2.2.8-3            Traditional model for Apache HTTPD
ii  apache2.2-common      2.2.8-3            Next generation, scalable, extenda
ii  libbz2-1.0            1.0.4-4            high-quality block-sorting file co
ii  libc6                 2.7-9              GNU C Library: Shared libraries
ii  libcomerr2            1.40.8-2           common error description library
ii  libdb4.6              4.6.21-6           Berkeley v4.6 Database Libraries [
ii  libkrb53              1.6.dfsg.3~beta1-3 MIT Kerberos runtime libraries
ii  libmagic1             4.23-2             File type determination library us
ii  libpcre3              7.6-2              Perl 5 Compatible Regular Expressi
ii  libssl0.9.8           0.9.8g-7           SSL shared libraries
ii  libxml2               2.6.31.dfsg-2      GNOME XML library
ii  mime-support          3.40-1.1           MIME files 'mime.types' & 'mailcap
ii  php5-common           5.2.5-3            Common files for packages built fr
ii  ucf                   3.005              Update Configuration File: preserv
ii  zlib1g                1:1.2.3.3.dfsg-11  compression library - runtime

libapache2-mod-php5 recommends no packages.

-- no debconf information

Message #10 received at 471336@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Marc Haber <mh+debian-bugs@zugschlus.de>, 471336@bugs.debian.org

Subject: Re: [php-maint] Bug#471336: libapache2-mod-php5: please consider providing debugging version without suhosin

Date: Mon, 17 Mar 2008 16:40:07 +0100

> some authors of PHP applications claim that the suhosin patch might be
> the cause for applications misbehavior. 

Give us a simple test case.  And better not ask me, what I think of some
authors of PHP applications (and PHP itself) :-).

I reviewed suhosin patch and I don't really think it could "cause
application misbehavior" for any normal application.  Yes, it does
change realpath so it adds some checks here and there and it does checks
for heap corruptions (zend_canary), but that's all.

> Please consider generating such a package during your package build
> process. Or, should this be impractical

It is very impractical.  php build process is very complicated as it is,
building double number of packages is not going to help.

> document how to build a PHP
> without suhosin from the Debian sources. This shuold be ideally be
> controllable from a variable set in debian/rules so that re-building
> is easy.

Is 'rm debian/patches/suhosin.patch && debuild' so complicated that it
needs it's own FAQ point?

Ondrej.
-- 
Ondřej Surý <ondrej@sury.org>

Message #15 received at 471336@bugs.debian.org (full text, mbox, reply):

From: Marc Haber <mh+debian-bugs@zugschlus.de>

To: Ondřej Surý <ondrej@sury.org>

Cc: 471336@bugs.debian.org

Subject: Re: [php-maint] Bug#471336: libapache2-mod-php5: please consider providing debugging version without suhosin

Date: Mon, 17 Mar 2008 17:12:32 +0100

On Mon, Mar 17, 2008 at 04:40:07PM +0100, Ondřej Surý wrote:
> > document how to build a PHP
> > without suhosin from the Debian sources. This shuold be ideally be
> > controllable from a variable set in debian/rules so that re-building
> > is easy.
> 
> Is 'rm debian/patches/suhosin.patch && debuild' so complicated that it
> needs it's own FAQ point?

I'd rather not be forced to think myself into the - complicated -
build mechanisms of PHP and fear of having broken other things.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Message #20 received at 471336@bugs.debian.org (full text, mbox, reply):

From: "Raphael Geissert" <atomo64+debian@gmail.com>

To: 471336@bugs.debian.org

Cc: "Marc Haber" <mh+debian-bugs@zugschlus.de>

Subject: Re: [php-maint] Bug#471336: Bug#471336: libapache2-mod-php5: please consider providing debugging version without suhosin

Date: Mon, 17 Mar 2008 19:33:18 -0600

On 17/03/2008, Ondřej Surý <ondrej@sury.org> wrote:
>
>  > document how to build a PHP
>  > without suhosin from the Debian sources. This shuold be ideally be
>  > controllable from a variable set in debian/rules so that re-building
>  > is easy.
>
>  Is 'rm debian/patches/suhosin.patch && debuild' so complicated that it
>  needs it's own FAQ point?

Better: sed -i 's/suhosin.patch//' debian/patches/series
(and AFAIR quilt complains if a patch can't be found)

>
>  Ondrej.
>  --
>  Ondřej Surý <ondrej@sury.org>
>
>
>
>
>  _______________________________________________
>  pkg-php-maint mailing list
>  pkg-php-maint@lists.alioth.debian.org
>  http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint


Cheers,
-- 
Atomo64 - Raphael

Please avoid sending me Word, PowerPoint or Excel attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html

Say NO to Microsoft Office broken standard.
See http://www.noooxml.org/petition

Earth Hour 2008 - Take action!
http://www.earthhour.org/user/xJKk

Message #25 received at 471336-done@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: 471336-done@bugs.debian.org

Subject: Re: Bug#471336: libapache2-mod-php5: please consider providing debugging version without suhosin

Date: Sun, 18 Jul 2010 21:55:56 -0500

Source: php5
Source-Version: 5.3.1-1

Since the above mentioned version of the packages, the version of suhosin in 
use permits some of its features to be disabled via env vars. Please refer to 
the following page for more information:
http://www.suspekt.org/2009/08/13/suhosin-patch-098-for-php-530-beta-please-
test/

Since it allows you to do what you asked, I'm therefore closing this bug.

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Send a report that this bug log contains spam.