<? DriftLogic ¿>

I like vanilla. Don't get me wrong, chocolate is nice, so is strawberry. But nothing is as versatile as vanilla. Vanilla has a nice base flavor, but the real excitement comes when you start adding toppings to make your own unique flavor. I have no problem with Linux of the flavored variety, like Ubuntu, Red Hat, Fedora. They give you something tasty and functional right out of the box. The issue comes when you decided that the flavor is just slightly off.

Normally, when you install a PHP package on any flavor of linux, it comes with a pre-packaged set of libraries. Even Gentoo with it's nothing but the kitchen sink approch includes some default libraries, but makes it rather easy to see what you're getting, and lets you change the includes during compile. Ubuntu gives you the package as the maintainers decided you should have it. By in large, this should be okay. Sadly, PHP on Ubuntu is the exception.

Take a look at the phpinfo() of a basic Ubuntu installation, something stands out, right near the top. Suhosin. Suhosin is the evolution of what was the php-hardening project. A group of guys who took it upon themselves to start patching PHP holes faster than the main branch would. This was an awesome and commendable idea, I personally used harneded PHP on servers I've built since PHP 5.0. The issue comes with the Ubuntu package and it's default inclusion. When the default package gets installed, none of the configuration settings for Suhosin are included. It's not mentioned anywhere. Not in one of the optionally included configuration, not in the core php.ini file. Just nowhere. Like it doesn't exist. Worse than that, there is no way to remove it.

Since Suhosin is an extension, when you install it as it's own package through Ubuntu, it includes all the configuration options and even a line that should allow you to disable it. But because it's included in the default compile of PHP, installing the Suhosin package extension only really adds the configuration options for the extension.

The mass though on this would be that Suhosin is good! Why not have it on by default? Security is awesome and lets us sleep. Fair enough, now just trade that sleep when you're trying to figure out why something isn't working, and you've pulled every last hair trying to figure out what's stopping that 50th array element from a post from getting to the server that you realize mysterious forces you can't control are getting in the way.

And that's the point, they shouldn't be mysterious. Suhosin doesn't add features, it adds restrictions. Restrictions that, by default, arn't shown. Woe is to the developer that hadn't installed or configured it before, because it radically changes how the platform behaves. If you're within the boundaries that suhosin redefines for you, then it's great, the issue comes when you're counting on one element that should work, but doesn't because of hidden restrictions that arn't documented anywhere in the configuration file and you cannot remove without a radical modification of the deb package or recompiling from scratch.

This isn't an argument against Suhosin. I love it, and I really appreciate that it's developers took the time to step in and make security patches to PHP ahead of the core developers. Shows initiative. This is an argument about adding stealth restrictions, which the Ubuntu package maintainers decided to do without documentation or the ability to remove them.

If in the package you want to roll, you want to throw in everything but the kitchen sink, don't plan on changing the door locks at the same time.