Debian Bug report logs - #662637
RFA: php-suhosin -- advanced protection module for php5

Package: wnpp; Maintainer for wnpp is wnpp@debian.org;

Reported by: Jan Wagner <waja@cyconet.org>

Date: Mon, 5 Mar 2012 13:18:02 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, pkg-php-maint@lists.alioth.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Mon, 05 Mar 2012 13:18:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
New Bug report received and forwarded. Copy sent to pkg-php-maint@lists.alioth.debian.org, wnpp@debian.org. (Mon, 05 Mar 2012 13:18:10 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Jan Wagner <waja@cyconet.org>
To: submit@bugs.debian.org
Subject: RFA: php-suhosin -- advanced protection module for php5
Date: Mon, 05 Mar 2012 14:17:05 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: wnpp
Severity: normal
X-Debbugs-CC: debian-devel@lists.debian.org
X-Debbugs-CC: pkg-php-maint@lists.alioth.debian.org

We (Alexander and me) are requesting an adopter for the php-suhosin
package.

The long description is:

This package provides a module for suhosin functions.

Suhosin is an advanced protection system for PHP installations. It was
designed to protect servers and users from known and unknown flaws in
PHP applications and the PHP core. Suhosin comes in two independent
parts, that can be used separately or in combination. The first part
is a small patch against the PHP core, that implements a few low-level
protections against bufferoverflows or format string vulnerabilities
and the second part is a powerful PHP extension that implements all
the other protections.

We both haven't enought time, taking the care the package deserves.

The upstream scm can be found at: https://github.com/stefanesser

Latest packaging can be found at:
https://scm.uncompleted.org/svn/debian/php-suhosin/trunk/

Thanks and with kind regards, Jan.
- -- 
Never write mail to <waja@spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPVLzN9u6Dud+QFyQRAndRAKDM3bbY4Br/ZK2j2v6OKCO6807OVgCg9QPF
Rqy5ShQxHo12J1wTjbjh+Ck=
=vKAQ
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Mon, 05 Mar 2012 13:27:41 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Mon, 05 Mar 2012 13:27:45 GMT) Full text and rfc822 format available.

Message #10 received at 662637@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Jan Wagner <waja@cyconet.org>, 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637: RFA: php-suhosin -- advanced protection module for php5
Date: Mon, 5 Mar 2012 14:22:02 +0100
Jan,

in that case, could you please request removal of php(5)-suhosin from
testing, so it doesn't block php 5.4 transition?

O.

On Mon, Mar 5, 2012 at 14:17, Jan Wagner <waja@cyconet.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Package: wnpp
> Severity: normal
> X-Debbugs-CC: debian-devel@lists.debian.org
> X-Debbugs-CC: pkg-php-maint@lists.alioth.debian.org
>
> We (Alexander and me) are requesting an adopter for the php-suhosin
> package.
>
> The long description is:
>
> This package provides a module for suhosin functions.
>
> Suhosin is an advanced protection system for PHP installations. It was
> designed to protect servers and users from known and unknown flaws in
> PHP applications and the PHP core. Suhosin comes in two independent
> parts, that can be used separately or in combination. The first part
> is a small patch against the PHP core, that implements a few low-level
> protections against bufferoverflows or format string vulnerabilities
> and the second part is a powerful PHP extension that implements all
> the other protections.
>
> We both haven't enought time, taking the care the package deserves.
>
> The upstream scm can be found at: https://github.com/stefanesser
>
> Latest packaging can be found at:
> https://scm.uncompleted.org/svn/debian/php-suhosin/trunk/
>
> Thanks and with kind regards, Jan.
> - --
> Never write mail to <waja@spamfalle.info>, you have been warned!
> - -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
> PS PE Y++
> PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
> - ------END GEEK CODE BLOCK------
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iD8DBQFPVLzN9u6Dud+QFyQRAndRAKDM3bbY4Br/ZK2j2v6OKCO6807OVgCg9QPF
> Rqy5ShQxHo12J1wTjbjh+Ck=
> =vKAQ
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej@sury.org>




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Mon, 05 Mar 2012 13:36:53 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Mon, 05 Mar 2012 13:36:58 GMT) Full text and rfc822 format available.

Message #15 received at 662637@bugs.debian.org (full text, mbox):

From: Jan Wagner <waja@cyconet.org>
To: Ondřej Surý <ondrej@debian.org>
Cc: 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637: RFA: php-suhosin -- advanced protection module for php5
Date: Mon, 05 Mar 2012 14:32:49 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ondřej,

On 03/05/2012 02:22 PM, Ondřej Surý wrote:
> in that case, could you please request removal of php(5)-suhosin
> from testing, so it doesn't block php 5.4 transition?

in what case? Why do you think that is needed?

Thanks and with kind regards, Jan.
- -- 
Never write mail to <waja@spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V- PS
PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPVMCB9u6Dud+QFyQRAsbiAJ9iUZ7gxLx3YO6ydcbcTvcsSXP4jQCg9l3k
9B27C6JF7ppJiCHSrqkRkJU=
=3s+J
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Mon, 05 Mar 2012 13:54:56 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Mon, 05 Mar 2012 13:55:02 GMT) Full text and rfc822 format available.

Message #20 received at 662637@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Jan Wagner <waja@cyconet.org>
Cc: 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637: RFA: php-suhosin -- advanced protection module for php5
Date: Mon, 5 Mar 2012 14:53:23 +0100
On Mon, Mar 5, 2012 at 14:32, Jan Wagner <waja@cyconet.org> wrote:
> On 03/05/2012 02:22 PM, Ondřej Surý wrote:
>> in that case, could you please request removal of php(5)-suhosin
>> from testing, so it doesn't block php 5.4 transition?
>
> in what case?

In the case the package is/will be not maintained anymore.

>  Why do you think that is needed?

Because php-suhosin currently FTBFS with PHP 5.4, and php5-suhosin in
testing now depends on old phpapi-2009..., effectively blocking the
transition.

O.
-- 
Ondřej Surý <ondrej@sury.org>




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Mon, 05 Mar 2012 14:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Mon, 05 Mar 2012 14:15:07 GMT) Full text and rfc822 format available.

Message #25 received at 662637@bugs.debian.org (full text, mbox):

From: Jan Wagner <waja@cyconet.org>
To: Ondřej Surý <ondrej@debian.org>
Cc: 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637: RFA: php-suhosin -- advanced protection module for php5
Date: Mon, 05 Mar 2012 15:09:47 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Ondřej,

On 03/05/2012 02:53 PM, Ondřej Surý wrote:
> On Mon, Mar 5, 2012 at 14:32, Jan Wagner <waja@cyconet.org> wrote:
>> On 03/05/2012 02:22 PM, Ondřej Surý wrote:
>>> in that case, could you please request removal of
>>> php(5)-suhosin from testing, so it doesn't block php 5.4
>>> transition?
>> 
>> in what case?
> 
> In the case the package is/will be not maintained anymore.

actually we are not in this state. We created a RFA, otherwise it
would be an O.

>> Why do you think that is needed?
> 
> Because php-suhosin currently FTBFS with PHP 5.4, and php5-suhosin
> in testing now depends on old phpapi-2009..., effectively blocking
> the transition.

We sorted this out with upstream already. Upstream told us, that
fixing PHP 5.4 issues will be done after the release. As the release
is just 4 days ago, I guess we are not in an hurry.

With kind regards, Jan.
- -- 
Never write mail to <waja@spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPVMko9u6Dud+QFyQRAh7pAJ9qB2gGKjok/MBxqw85LFN0OoXMjQCg3rIF
Usmi9GlWfjg6B1nVHrxf5BA=
=DFp0
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Mon, 05 Mar 2012 14:18:19 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Mon, 05 Mar 2012 14:18:19 GMT) Full text and rfc822 format available.

Message #30 received at 662637@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Jan Wagner <waja@cyconet.org>
Cc: 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637: RFA: php-suhosin -- advanced protection module for php5
Date: Mon, 5 Mar 2012 15:13:35 +0100
On Mon, Mar 5, 2012 at 15:09, Jan Wagner <waja@cyconet.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Ondřej,
>
> On 03/05/2012 02:53 PM, Ondřej Surý wrote:
>> On Mon, Mar 5, 2012 at 14:32, Jan Wagner <waja@cyconet.org> wrote:
>>> On 03/05/2012 02:22 PM, Ondřej Surý wrote:
>>>> in that case, could you please request removal of
>>>> php(5)-suhosin from testing, so it doesn't block php 5.4
>>>> transition?
>>>
>>> in what case?
>>
>> In the case the package is/will be not maintained anymore.
>
> actually we are not in this state. We created a RFA, otherwise it
> would be an O.
>
>>> Why do you think that is needed?
>>
>> Because php-suhosin currently FTBFS with PHP 5.4, and php5-suhosin
>> in testing now depends on old phpapi-2009..., effectively blocking
>> the transition.
>
> We sorted this out with upstream already. Upstream told us, that
> fixing PHP 5.4 issues will be done after the release. As the release
> is just 4 days ago, I guess we are not in an hurry.

Ok, thanks for the info :). That made me happy.

O.
-- 
Ondřej Surý <ondrej@sury.org>




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Tue, 13 Mar 2012 14:18:17 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 13 Mar 2012 14:18:18 GMT) Full text and rfc822 format available.

Message #35 received at 662637@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Jan Wagner <waja@cyconet.org>
Cc: 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637: RFA: php-suhosin -- advanced protection module for php5
Date: Tue, 13 Mar 2012 15:17:23 +0100
On Mon, Mar 5, 2012 at 15:09, Jan Wagner <waja@cyconet.org> wrote:
> We sorted this out with upstream already. Upstream told us, that
> fixing PHP 5.4 issues will be done after the release. As the release
> is just 4 days ago

Any news from upstream author?  The last commit in github was a month ago.

> I guess we are not in an hurry.

That depends. We need to get PHP 5.4 to testing soon(-ish), because it
has introduced couple of changes which could be disruptive and I would
like to have a plenty time for testing that everything works as it
should.

O.
-- 
Ondřej Surý <ondrej@sury.org>




Reply sent to Laszlo Boszormenyi (GCS) <gcs@debian.hu>:
You have taken responsibility. (Mon, 21 May 2012 21:51:13 GMT) Full text and rfc822 format available.

Notification sent to Jan Wagner <waja@cyconet.org>:
Bug acknowledged by developer. (Mon, 21 May 2012 21:51:13 GMT) Full text and rfc822 format available.

Message #40 received at 662637-close@bugs.debian.org (full text, mbox):

From: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
To: 662637-close@bugs.debian.org
Subject: Bug#662637: fixed in php-suhosin 0.9.33-2
Date: Mon, 21 May 2012 21:48:03 +0000
Source: php-suhosin
Source-Version: 0.9.33-2

We believe that the bug you reported is fixed in the latest version of
php-suhosin, which is due to be installed in the Debian FTP archive:

php-suhosin_0.9.33-2.debian.tar.gz
  to main/p/php-suhosin/php-suhosin_0.9.33-2.debian.tar.gz
php-suhosin_0.9.33-2.dsc
  to main/p/php-suhosin/php-suhosin_0.9.33-2.dsc
php5-suhosin_0.9.33-2_amd64.deb
  to main/p/php-suhosin/php5-suhosin_0.9.33-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 662637@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.hu> (supplier of updated php-suhosin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 02 Apr 2012 09:39:37 +0000
Source: php-suhosin
Binary: php5-suhosin
Architecture: source amd64
Version: 0.9.33-2
Distribution: unstable
Urgency: low
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.hu>
Description: 
 php5-suhosin - advanced protection module for php5
Closes: 656486 662637 663954 667865
Changes: 
 php-suhosin (0.9.33-2) unstable; urgency=low
 .
   * New maintainer (closes: #662637).
   * Clean up packaging, updated Standards-Version and switched to 3.0 (quilt)
     source format.
   * Make it build with PHP 5.4 (closes: #656486, #663954, #667865) with
     php54_fixes.patch added.
Checksums-Sha1: 
 84376139a50df8bc15ffcac28bb6ebd9f127ab8e 1293 php-suhosin_0.9.33-2.dsc
 d9f0a1be6fd93298755bc4bdb3cfbd73d9cacf92 15374 php-suhosin_0.9.33-2.debian.tar.gz
 36c4c0ea4ca7b96661ffd1e7e06377eb7d23c22f 17386 php5-suhosin_0.9.33-2_amd64.deb
Checksums-Sha256: 
 cfb5a1e6f2da23ef50bfc0f3a209091b1701307ee4ef78b32c152164a66ef38a 1293 php-suhosin_0.9.33-2.dsc
 7a5336d3475e157664e68838604cabf332824dacbabd0236433c8d8410f2a057 15374 php-suhosin_0.9.33-2.debian.tar.gz
 873b04640b215aa8d006e4fdd3243cb3b59887eb26103e3745b47d8d9e8b28ad 17386 php5-suhosin_0.9.33-2_amd64.deb
Files: 
 df0787a9e17826e836054336a5bdee9c 1293 php optional php-suhosin_0.9.33-2.dsc
 12f2f6a591dd0a3d70fa81d6dab43b3d 15374 php optional php-suhosin_0.9.33-2.debian.tar.gz
 02905c5560d6a08e0c83995b7cb9f5f0 17386 php optional php5-suhosin_0.9.33-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAk+6pGEACgkQMDatjqUaT93CegCdHir2S4LZqhV//mTIRwE9VXMW
ycoAn2P3/Z1VPCQjt4vKHPpIpWN6DmwT
=P68j
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Tue, 22 May 2012 17:45:14 GMT) Full text and rfc822 format available.

Acknowledgement sent to Jan Wagner <waja@cyconet.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 22 May 2012 17:45:15 GMT) Full text and rfc822 format available.

Message #45 received at 662637@bugs.debian.org (full text, mbox):

From: Jan Wagner <waja@cyconet.org>
To: 662637@bugs.debian.org
Cc: formorer@debian.org
Subject: Re: Bug#662637 closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu> (Bug#662637: fixed in php-suhosin 0.9.33-2)
Date: Tue, 22 May 2012 19:43:56 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Laszlo,

Am 21.05.2012 23:51, schrieb Debian Bug Tracking System:
> This is an automatic notification regarding your Bug report which
> was filed against the wnpp package:
> 
> #662637: RFA: php-suhosin -- advanced protection module for php5
> 
> It has been closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu>.

we (Alexande and I) wished, that an adopter had contacted us about his
intention befor just uploading a new package.
Anyways .. looking into your php54_fixes.patch doesn't convince me,
that is a appropriate fix. For more info please have a look into:

https://github.com/stefanesser/suhosin/issues/5
https://github.com/stefanesser/suhosin/issues/14

Cheers, Jan.
- -- 
Never write mail to <waja@spamfalle.info>, you have been warned!
- -----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GIT d-- s+: a C+++ UL++++ P+ L+++ E--- W+++ N+++ o++ K++ w--- O M V-
PS PE Y++
PGP++ t-- 5 X R tv- b+ DI D+ G++ e++ h---- r+++ y++++
- ------END GEEK CODE BLOCK------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFPu9BY9u6Dud+QFyQRAhrfAJ42k/vGV7uroejuQ6NWTneKUQdKXwCcCQ3B
Xv/K/XEtelvT50W121xvUeo=
=Bdfy
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Tue, 29 May 2012 20:39:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 29 May 2012 20:39:06 GMT) Full text and rfc822 format available.

Message #50 received at 662637@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: Laszlo Boszormenyi <gcs@debian.hu>
Cc: Jan Wagner <waja@cyconet.org>, 662637@bugs.debian.org
Subject: Re: Bug#662637 closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu> (Bug#662637: fixed in php-suhosin 0.9.33-2)
Date: Tue, 29 May 2012 22:28:47 +0200
On Tue, 22 May 2012, Jan Wagner wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi Laszlo,
> 
> Am 21.05.2012 23:51, schrieb Debian Bug Tracking System:
> > This is an automatic notification regarding your Bug report which
> > was filed against the wnpp package:
> > 
> > #662637: RFA: php-suhosin -- advanced protection module for php5
> > 
> > It has been closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu>.
> 
> we (Alexande and I) wished, that an adopter had contacted us about his
> intention befor just uploading a new package.
> Anyways .. looking into your php54_fixes.patch doesn't convince me,
> that is a appropriate fix. For more info please have a look into:
> 
> https://github.com/stefanesser/suhosin/issues/5
> https://github.com/stefanesser/suhosin/issues/14
Ok, given your bad done uploads I revert the maintainership back to us.
Tomorrow I'll upload the package back to the state of 0.9.33-1. It was a RFA
and you never talked about it to us. And you made exactly the errors we
wanted to prevent.

Alex





Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Thu, 31 May 2012 02:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Laszlo Boszormenyi (GCS)" <gcs@debian.hu>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 31 May 2012 02:21:06 GMT) Full text and rfc822 format available.

Message #55 received at 662637@bugs.debian.org (full text, mbox):

From: "Laszlo Boszormenyi (GCS)" <gcs@debian.hu>
To: Alexander Wirt <formorer@debian.org>
Cc: Jan Wagner <waja@cyconet.org>, 662637@bugs.debian.org
Subject: Re: Bug#662637 closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu> (Bug#662637: fixed in php-suhosin 0.9.33-2)
Date: Thu, 31 May 2012 02:09:22 +0000
[Message part 1 (text/plain, inline)]
Hi Alexander, Jan,

On Tue, 2012-05-29 at 22:28 +0200, Alexander Wirt wrote:
> On Tue, 22 May 2012, Jan Wagner wrote:
> > we (Alexande and I) wished, that an adopter had contacted us about his
> > intention befor just uploading a new package.
 It was not really my intention to do it silent. I've serious email
problems for a while. My Evolution crashes on startup and can't fix it.
It calls a function which ends in glibc functions, coded in x64
assembly. Now I installed it in a Wheezy chroot. Still not good, but
better than nothing.

> > Anyways .. looking into your php54_fixes.patch doesn't convince me,
> > that is a appropriate fix. For more info please have a look into:
 In short, I know it's not a finished and polished patch. Stefan Esser
gave no ETA for the finished PHP 5.4 support. All I would like to give
users a chance to evaluate it, find things that may break and so on.
Wheezy freeze is coming and Suhosin needs testing, even if not yet ready
for production environments.

> Ok, given your bad done uploads I revert the maintainership back to us.
> Tomorrow I'll upload the package back to the state of 0.9.33-1. It was a RFA
> and you never talked about it to us. And you made exactly the errors we
> wanted to prevent.
 While I agree that 0.9.33-2 contained a bad mistake, I would like to
learn and fix everything as soon as possible. Of course, it's your call
if you give me a helping hand in this or take over the package.

Thanks for your patience. Regards,
Laszlo/GCS
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Thu, 31 May 2012 06:12:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Wirt <formorer@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 31 May 2012 06:12:03 GMT) Full text and rfc822 format available.

Message #60 received at 662637@bugs.debian.org (full text, mbox):

From: Alexander Wirt <formorer@debian.org>
To: "Laszlo Boszormenyi (GCS)" <gcs@debian.hu>
Cc: Jan Wagner <waja@cyconet.org>, 662637@bugs.debian.org, pkg-php-maint@lists.alioth.debian.org
Subject: Re: Bug#662637 closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu> (Bug#662637: fixed in php-suhosin 0.9.33-2)
Date: Thu, 31 May 2012 08:06:15 +0200
On Thu, 31 May 2012, Laszlo Boszormenyi (GCS) wrote:

> Hi Alexander, Jan,
> 
> On Tue, 2012-05-29 at 22:28 +0200, Alexander Wirt wrote:
> > On Tue, 22 May 2012, Jan Wagner wrote:
> > > we (Alexande and I) wished, that an adopter had contacted us about his
> > > intention befor just uploading a new package.
>  It was not really my intention to do it silent. I've serious email
> problems for a while. My Evolution crashes on startup and can't fix it.
> It calls a function which ends in glibc functions, coded in x64
> assembly. Now I installed it in a Wheezy chroot. Still not good, but
> better than nothing.
> 
> > > Anyways .. looking into your php54_fixes.patch doesn't convince me,
> > > that is a appropriate fix. For more info please have a look into:
>  In short, I know it's not a finished and polished patch. Stefan Esser
> gave no ETA for the finished PHP 5.4 support. All I would like to give
> users a chance to evaluate it, find things that may break and so on.
> Wheezy freeze is coming and Suhosin needs testing, even if not yet ready
> for production environments.
That is exactly the thing we wanted to prevent. suhosin is no thingy "for
learning" or for "testing". You should have taken the time to read our
comments regarding uploading this "version". We stated several times that we
don't think this version should be uploaded to debian. Just
hijacking/uploading the package is no solution.

> 
> > Ok, given your bad done uploads I revert the maintainership back to us.
> > Tomorrow I'll upload the package back to the state of 0.9.33-1. It was a RFA
> > and you never talked about it to us. And you made exactly the errors we
> > wanted to prevent.
>  While I agree that 0.9.33-2 contained a bad mistake, I would like to
> learn and fix everything as soon as possible. Of course, it's your call
> if you give me a helping hand in this or take over the package.
As written above, this is no learning package, its impact is much too big for
this. We will take the package back into our maintenance, you can join the
team if you want. But I don't think its currently wise to leave things as
they are. I would even go so far to say that if there is no released version
we shouldn't ship wheezy with suhosin. I really don't want the shitstorm if
there is a hole in that pre-version and we ship wheezy with it.

I added the php maintainers to Cc, maybe they have some input to that topic.

Alex





Bug reopened Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Thu, 31 May 2012 06:21:09 GMT) Full text and rfc822 format available.

No longer marked as fixed in versions php-suhosin/0.9.33-2. Request was from Alexander Wirt <formorer@debian.org> to control@bugs.debian.org. (Thu, 31 May 2012 06:21:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Thu, 31 May 2012 07:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ondřej Surý <ondrej@debian.org>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Thu, 31 May 2012 07:42:06 GMT) Full text and rfc822 format available.

Message #69 received at 662637@bugs.debian.org (full text, mbox):

From: Ondřej Surý <ondrej@debian.org>
To: Alexander Wirt <formorer@debian.org>
Cc: "Laszlo Boszormenyi (GCS)" <gcs@debian.hu>, pkg-php-maint@lists.alioth.debian.org, 662637@bugs.debian.org
Subject: Re: [php-maint] Bug#662637 closed by Laszlo Boszormenyi (GCS) <gcs@debian.hu> (Bug#662637: fixed in php-suhosin 0.9.33-2)
Date: Thu, 31 May 2012 09:32:13 +0200
On Thu, May 31, 2012 at 8:06 AM, Alexander Wirt <formorer@debian.org> wrote:
> As written above, this is no learning package, its impact is much too big for
> this. We will take the package back into our maintenance, you can join the
> team if you want. But I don't think its currently wise to leave things as
> they are. I would even go so far to say that if there is no released version
> we shouldn't ship wheezy with suhosin. I really don't want the shitstorm if
> there is a hole in that pre-version and we ship wheezy with it.

I couldn't write this better. Hurrying suhosin so 'oooh, let's have
some version in wheezy' is the worst idea I have seen so far.

You can move this version to experimental (no harm in doing that
although also no point), and I have filled RC bug against php5-suhosin
to prevent its migration to testing.

> I added the php maintainers to Cc, maybe they have some input to that topic.

O.
-- 
Ondřej Surý <ondrej@sury.org>




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Tue, 16 Jul 2013 23:33:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Tue, 16 Jul 2013 23:33:04 GMT) Full text and rfc822 format available.

Message #74 received at 662637@bugs.debian.org (full text, mbox):

From: Filipus Klutiero <chealer@gmail.com>
To: Karl Schmidt <karl@xtronics.com>, 662637@bugs.debian.org
Cc: gcs@debian.hu, peter.prochaska@hardened-php.net, stefan.esser@hardened-php.net, christopher.kunz@hardened-php.net, debian-publicity@lists.debian.org
Subject: Re: php5-suhosin in Debian
Date: Tue, 16 Jul 2013 19:29:26 -0400
Hi Karl,

On 2013-07-16 12:50, Karl Schmidt wrote:
> Is this package dead?  It looks like the project is no longer maintained -  Last dated bit I can find on the project page is 2007
>
> There are several bugs listed all complaining that it is uninstallable that should be merged and if this package is being abandoned it would be good to say that is the case as it provided some security.  Some kind of comment in the bugs would help.
>
> An entry in Debian Project News as to the status of suhosin would help inform people.
>
> http://debian.distrosfaqs.org/debian-user/wheezy-still-missing-php5-suhosin/

before we publish an entry on Suhosin, something needs to happen. Suhosin is still in unstable. #662637 would be the place to discuss whether that should stay the case. I wouldn't call a project which still has to come to life as "dead", but I would agree that this pregnancy isn't promising. If Suhosin is unusable, I don't see why we wouldn't remove it from unstable.

-- 
Filipus Klutiero
http://www.philippecloutier.com




Information forwarded to debian-bugs-dist@lists.debian.org, wnpp@debian.org:
Bug#662637; Package wnpp. (Wed, 17 Jul 2013 00:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Karl Schmidt <karl@xtronics.com>:
Extra info received and forwarded to list. Copy sent to wnpp@debian.org. (Wed, 17 Jul 2013 00:51:04 GMT) Full text and rfc822 format available.

Message #79 received at 662637@bugs.debian.org (full text, mbox):

From: Karl Schmidt <karl@xtronics.com>
To: Filipus Klutiero <chealer@gmail.com>
Cc: 662637@bugs.debian.org
Subject: Re: php5-suhosin in Debian
Date: Tue, 16 Jul 2013 19:49:42 -0500
On 07/16/2013 06:29 PM, Filipus Klutiero wrote:
> Hi Karl,
>
> before we publish an entry on Suhosin, something needs to happen. Suhosin is still in unstable.
> #662637 would be the place to discuss whether that should stay the case. I wouldn't call a project
> which still has to come to life as "dead", but I would agree that this pregnancy isn't promising. If
> Suhosin is unusable, I don't see why we wouldn't remove it from unstable.

Thanks for your reply, My concern is that while I know it has to be removed on a wheezy server, 
there is some amount of security that it did provide that is now missing - and I don't think it has 
been obsoleted in the updates of php.

If this was some other package, it would be of little interest, but when security appears to be 
going backwards, it gets my attention.

I have not seen anywhere any analysis of the impact on security, now that this package is missing.


--------------------------------------------------------------------------------
Karl Schmidt                                  EMail Karl@xtronics.com
Transtronics, Inc.                              WEB http://secure.transtronics.com
3209 West 9th Street                             Ph (785) 841-3089
Lawrence, KS 66049                              FAX (785) 841-0434

If a man gives no thought about what is
distant, he will find sorrow near at hand.
Confucius

--------------------------------------------------------------------------------



Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 16:59:56 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.