Today I stumbled by accident upon two wonderful examples how bugs should not get treated. One is from the Zend Framework and another one is from the PHP bug system. In both cases bugs are immediately blamed on Suhosin-Patch, although the patch is quite small and is used with lots of software without a single problem.

In the first example failing unit tests in the Framework are immediately blamed by the authors on the presence of Suhosin-Patch just because they are unable to reproduce them. Luckily Sebastian is not the average user that stops here and so he tells them that the same happens without Suhosin-Patch. I also like the statement by the Zend Framework guys that compatibility to Suhosin-Patch is not a requirement. That basically means FreeBSD users should NOT use Zend Framework at all.

In the second example someone reports a problem with recode.so to the PHP bugtracker and Antony from Zend, who is known for his agressive tone against bugreporters, immediately refuses to accept the bug because the person is using the Suhosin-Patch. This behaviour is unbelievable, especially because recode.so has a history of mysterious crashes especially on FreeBSD systems. It is likely that the problem has now become reproduceable by the use of Suhosin-Patch, but according to PHP.net's strategy bugs that will become invisible without Suhosin-Patch do not exist. It would not be the first time that Suhosin-Patch/Hardening-Patch brings a bug to light, that was so deeply hidden that it only occured sometimes and only under some strange configurations that it was unreproduceable and never fixed.

I guess FreeBSD, OpenBSD, Dotdeb, ... users will have a lot of fun with PHP.net's bug tracking system in the future because they have choosen to secure their PHP and PHP.net obviously refuses them this choice.