|I would like to see suhosin optional by php.ini option. In this way a web master can evaluate the risk and benefits.|
I strongly encourage the core php team to give more attention to security issues, especially addressing long known problems.
Clearly adding security fixes is dicey, as the current example shows. To me the strategy should be to provide security improvements as option if a measure cannot be agreed upon unanimously.
|2012-02-06 21:07:03 - In reply to message 1 from Christian Sager|
|Well Suhosin is already an extension that you can control via php.ini, it just does not come built-in PHP.|
It seems the PHP core team and Stefan Esser have fundamental differences of opinion on what is accepted to include in a security extension like this, so it is unlikely that Suhosin will be ever integrated in the PHP core.