PHP 5.4.1 in – Suhosin out

Today I finally moved PHP 5.4.1 into our [testing] repository. Our previous tests of 5.4.0 were quite successful. In short PHP 5.4 is ready for production now and will be in our [extra] repository in a couple of days.

When I first packaged PHP 5.4.0 one of the most concerning issues was the lack of a compatible Suhosin patch and extension. Unfortunately this situation has not changed within the last two months: there is still no information if or when Suhosin will be released for recent versions of PHP. Therefor I decided to remove the Suhosin patch and its extension from our repository. To not break compatibility on minor updates the current version in [extra], PHP 5.3.11, includes a patched version of Suhosin; the last official one was dedicated for 5.3.9.

Suhosin is a safe guard for scripts and PHP itself. It consists of  patch to PHP and an extension which can be used independently. The patch aims to protect the PHP core against buffer overflows and string format vulnerabilities. Scripts written in PHP are protected by the Suhosin extension. It can be configured to disallow or limit certain user input. There is also a feature to transparently encrypt cookie and session data. More of Suhosin’s features are described on its website.

Certainly some of Suhosin’s features are a good idea as they might protect you in case PHP itself or scripts fail. This is why it was added years ago when I took over maintainership of PHP. Fortunately some of its features got added to PHP itself over time. But today we are confronted with several problems:

  • There is no Suhosin for PHP 5.4. This means we would be stuck at 5.3 and cannot ship the most recent packages which is one of the goals of Arch Linux.
  • The upstream project has become less and less active in the past years. There are certain indicators which make Suhosin an unhealthy open source project: There is still only one main contributor, the development process is mostly closed, there is no public repository for the patch, no bug tracker, the forums are in maintenance mode for years and the latest news entry is from 2007. Of course things might be different in the background, but this is the situation which is publicly visible.
  • The delays between PHP releases and their Suhosin counterparts are increasing. I often have to patch the Suhosin patch itself to use it with latest minor updates of PHP. This leaves us with a PHP version that is neither supported by the PHP project nor the Suhosin authors. While these modifications are mostly trivial I cannot exclude the possibility that I break PHP in a dangerous way. The situation is even worse on major update like we have now. Adjusting Suhosin to PHP 5.4 is not trivial. In addition to this testing development releases or release candidates often means that you have to disable Suhosin.
  • There are no plans of the project to ever move any of Suhosin’s features into PHP itself. In fact the Suhosin author is strictly against such a move.

In general we have a “Do not patch” policy in Arch and try to keep our packages as close to upstream as possible. In its current state I no longer have any excuse to break this rule for Suhosin; in fact I now have a lot of arguments which support this policy. So even if a new version of Suhosin was released tomorrow, next week or in a few months, it wont be re-added to our PHP packages. The upstream projects would need some changes to its process to be reliable again.The relationship with the PHP project itself has to improve and it should at least be tried to apply certain features into the PHP core project.

26 Replies to “PHP 5.4.1 in – Suhosin out”

  1. This is great news. Thx for all the hard work. After reading this post, i started wondering about the php-apache package ? is it tied somehow to the apache package that badly needs updating too ?

  2. Thx for that piece of news Pierre, lets hope that package gets updated at some point too. even though focus seems to be on nginx atm for many.

  3. Suhosin 0.9.34-dev is currently under development and adds support for PHP 5.4. I have a working copy running and apart from a couple quirks, it runs as stable as older versions did.

    1. This is definitely an option for those who depend on Suhosin functionality. But there is most likely a reason why it was not tagged yet, so I would not feel comfortable packaging it.

      But I will probably provide a PKGBUILD in the AUR.

  4. What is the reason for this Suhosin stuff not being integrated into PHP itself ?
    I’ve seen no PHP-installation being done without it , ever. Why is it not a core part of PHP?

    1. Integrating at least some of Suhosin’s features into PHP itself would be best for sure. Unfortunately the chance of this happening are very slim.

      There was also a related article on LWN: https://lwn.net/Articles/479716/ (Note that Debian had different reasons for dropping Suhosin)

      1. Hi Pierre,

        I would disagree that Debian’s reasons were fundamentally different from yours. So thanks for summing that up, I’ll use your blogpost as reference in the future since you have well written reasons which I had in mind, but was unable to formulate at the time I dropped suhosin patch from Debian packages.

        O.

  5. Regarding the “there is no public repository for the patch” part, there it is : https://github.com/stefanesser/suhosin

    I have to say I would have preferred Arch to hold on the PHP 5.4 upgrade a little longer in order to have a more stable PHP and to be able to keep suhosin.

    Don’t get me wrong, I really thank you for maintaining the PHP package and if it seems to you that it is the best solution for now, so be it.

    1. This repository is for the extension, not for the patch.

      How long should we have kept 5.3 and waited for Suhosin? 5.4 was released like two and a half months ago. If there was an ETA things might have been easier to plan, but without any information when and if a release will be available things are harder to decide.

      And even for 5.3 the most recent Suhosin patch is for 5.3.9.

      1. You are right regarding the repository, thank you for pointing out my mistake.

        And yes, I understand your point regarding the fact that there is no way to know when a Suhosin patch will released, if at all.

        I think you are doing a great job so again, thank you !

  6. The Arch Linux Apache package has been marked as out of date from a little over three months. Are there plans to update this package with version 2.4? If so do you have a rough guess as to when this will take place?

    mod-sessions will not run on the current, out of date, packaged version.

  7. (Read the list) Wow…

    This guy (Stephan) is so convinced in “security by depth” that he doesn’t see his changes being just as beneficial (if not more so) in mainline than in random patches.

    If you’re really THE trusted source on PHP security, you’d be working with PHP.net, not arguing with them and trying to reduce the credibility of others by calling them out on working for Microsoft. He’s prioritizing control of his project and ego over the benefit of the PHP community as a whole, just because he’d rather be the introvert and not seek middle ground with developers on PHP.net. Once the mud starts slinging, you’ve lost your credibility. He blamed you, blamed the PHP community for not coming out and agreeing with him, blamed having to write proper documentation on his processes for not getting his work mainlined.

    @Stephan: PHP.net is bigger than you and your project. You can make a big difference and contribute upstream (which is always the better solution- quicker releases and a more secure vanilla installs for everyone) or you can continue your stance and get left behind. Eventually someone competent will come along and “clone” all of your work into mainline and you’ll be forgotten and have no voice in the community going forward, or you’ll wake up and try to compromise. You could be doing so many other things than fighting with the mainline developers- like mentoring one of them on security and letting them do the work for you. I bet plenty of people would be willing to play liason.

  8. @Pierre- is it still available in a convenient/elegant way to those who want to have Suhosin on Arch?

    No doubt it is a shame that this Stefan dude is being so difficult, but on the technical points I think he’s actually right. Have there been any efforts to reach out to him for an ETA on the next updated release? If he releasesan update to it, is there any chance that it could get re-included in Arch by default?

    PHP security is a serious issue however you slice it, so it’s really sad to see all this happening. I wish there could be a taskforce form on the PHP.net community committing to audit all of the suhosin code and merge back in things that are truly beneficial for the core. Then we wouldn’t have this problem.

    I’d love to hear anyone’s feedback on these points. Thanks.

  9. Just stumbled upon this thread when looking for a patch for 5.4.
    Now just want to ask for not to judge rashely without the full insight of what went on behind the scenes.
    If i remember it right the split from Stefan was primarily driven by fundamental different approaches and stances towards how security issues are handled within the PHP project and how “security issue” is defined.
    The question why Suhosin functionality still is not picked up in PHP should give a hint, the fact that Suhosin is so sought after as well…
    Thus it may be unfair – if not wrong – to put all the blame on Stefan and discredit his superb achievement.
    I’m not only worried about the future of the Suhosin-project but also about how stellar open source projects fair sometimes these days…
    I hope the project will get off the ground again.
    For me (as an implementer), security of PHP IS a concern…

    1. @hilfr I couldn’t agree more. I hope that arch adopts suhosin by default once again when Stefan comes out with a new release.

    2. And security includes also reliability. Though at the moment Suhosin isn’t reliable at all. The path will be – maybe – compatible one day but there’s no info about when and even if this day will come.
      And what when ? Waiting again until a one-man show, show might be busy with other things, gets the patch finished upon a new PHP version ?
      Sure – I’m not happy with this situation as well

  10. “””
    There is still only one main contributor, the development process is mostly closed, there is no public repository for the patch, no bug tracker, the forums are in maintenance mode for years and the latest news entry is from 2007.
    “””

    You are wrong. Suhosin moved to github:

    https://github.com/stefanesser/suhosin

    1. As already said, this is not the Suhosin patch but the extension. And as you see there is also no new extension for 5.4 yet.

Comments are closed.