Need package for php5 without suhosin patch

A bit late to the party here, but have you tried disabling various suhosin features in php.ini? There's a fairly comprehensive list at:

http://www.hardened-php.net/suhosin/configuration.html

Turning off things like transparent session encryption could see a pretty drastic performance boost on sites that use automatic session tracking.

I heartily agree with the person who filed this bug report!

Please issue a PHP without the suhosin patch, for those of us for whom the patch creates more problems than it solves.

Baking the suhosin patch into the PHP distro has been very bad for those of us whose Web services have been disrupted by the spurious errors generated by this version of the suhosin patch. (The defect has been acknowledged by the author of the patch.)

By the way, dear Adam Conrad: Modifying php.ini has no effect on this problem; I've tried it. (I guess that the configuration is for the suhosin extension, not the patch.)

@adconrad yes please don't assume that this fixes all problem, even by setting suhosin to simulate mode only (as per your documentation link) it still does not work with zend correctly, which makes it a real pain for any PHP developers to use ubuntu based systems as their weapon of choice.

Yes, to follow up on dgltmoon's post, we always disabled the extension completely, and that's not the problem this bug is talking about. The problem is that a patch to the PHP core is always applied in the Ubuntu packages, and that always modifies behavior in ways that are both memory and cpu intensive no matter whether or not you turn off all possible suhoshin options including completely disabling (or not installing) the extension package.

This problem still exists with current Ubuntu releases (even without php-suhosin, the extension package, installed at all) and it's pretty surprising that it doesn't get addressed. There are tons of posts around the web about this problem and how to work around it, as well as numerous related bug posts. It seems like the Ubuntu PHP maintainers just aren't serious about providing an enterprise grade PHP setup on Ubuntu but instead only on targeting small users where perf is unimportant.

We'd still love a proper solution and continue to be forced to maintain our own packages because of this failure.

This is kinda like a cosmic joke. Half of the sites does not work with suhosin patch, yet you force it into your php5 build.

To my mind there should be just plain raw php5, and if user wishes so, he can add himself suhosin or whatever he wants to.

Please make it raw.

Debian has no unfortunately dropped suhosin core patches from their php5 packages, see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657698 .

Best solution IMHO would be to provide both, packages with the suhosin core patches and without.
Default should be _with_ suhosin core patches and without one could name the packages like php5-xxx-no-suhosin or so.

Perhaps Debian and Ubuntu can contribute each other a little bith here?

Cheers,
Chris.

This really needs to get addressed. Migrating to Ubuntu server just cost me half a day of debugging to find Suhosin patch is baked into the executable and is *NOT* being disabled through either .htaccess or php.ini methods. I understand it's a good idea to provide this additional security, but unfortunately the patch causes coredumps when processing large xml files in Zend and other happy fun errors that are simply not present in other Linux distributions.

Having to compile and maintain my own Suhosin-free packages is a solution, but not a good one.

It's a good idea, but is definitely *NOT* ready as a default.

As of 5.4.4-1ubuntu1 in quantal, Suhosin patch has been disabled. See http://changelogs.ubuntu.com/changelogs/pool/main/p/php5/php5_5.4.6-1ubuntu1.5/changelog.