[Bug 498022] [NEW] Need package for php5 without suhosin patch

jmccaskey jmccaskey at valvesoftware.com
Fri Dec 18 00:05:15 GMT 2009


Public bug reported:

Binary package hint: php5

First, I know bugs related to suhosin have been discussed before and
understand that you can choose to use the module or not by installing
php5-suhosin.  However, there is currently no way to disable the core
suhosin patch except to build your own PHP5 packages.

The Suhosin patch itself adds significant memory and cpu overhead to PHP
and there should be a way to disable it without having to go through the
headache of maintaining our own modules.

In our case we are serving the page
http://store.steampowered.com/app/500/ as an example, with the default
Ubuntu package with Suhosin we get peak memory usage during page
generation of 9961472 bytes, and a total execution time of ~75ms.  If we
rebuild without the Suhosin patch and use a custom package we end up
with peak memory usage of 7077888 bytes and a page generation time of
roughly 50ms.  These same type of results (ie, roughly 40% increased
memory usage and 20-50% increased CPU usage) are easily repeatable
across many machines and across many different page requests.

Since our code is well audited and secure, and since the memory canaries
it provides only help detect memory corruption bugs in PHP itself and do
not prevent them we see no reason we would ever wish to run with it
enabled on our production servers.

Please provide packages for Ubuntu that don't force the inclusion of
Suhosin!

** Affects: php5 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Need package for php5 without suhosin patch
https://bugs.launchpad.net/bugs/498022
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php5 in ubuntu.



More information about the Ubuntu-server-bugs mailing list