It seems Suhosin patches and extends the PHP core as a means to protect users from flaws in the core. It also seems some smart people are using this system. Since it appears to be a good thing, I'm curious as to why its not part of the PHP core to begin with. Anybody know?
Update: Apparently some distributions of Linux also package PHP with Suhosin by default. This seems to be true for Debian (Lenny at least) and Arch Linux. Any other distributions package PHP with Suhosin by default?
I wonder have they contributed their code back into the main php project?
This is usually how new code gets integrated into open-source projects.
I would guess the main reasons for the php team not to include Suhosin are:
To elaborate on Toby Allen's answer (this wouldn't fit into a comment)....
One of the main guys behind Suhosin is Stephen Esser. Stephen seems to have had on ongoing disagreement with the PHP core developers with regard to security over the last few years. He was also one of the guys behind the month of PHP bugs which was intended to draw attention to the (in Stephen's opinion) sad state of PHP core security.
Given that the Suhosin guys have decided to go their own way and work outside the PHP project, I can imagine that:
Some Linux distributions such as Debian (Etch and Lenny), Ubuntu and Arch include the Suhosin patch in their PHP package, so on those systems you'll often find it's turned on by default. Red Hat derived distributions (Red Hat Enterprise, CentOS, Fedora, etc) don't include Suhosin in their PHP packages.
Note: I have no association with Core PHP devs, or Suhosin, but a reasonable guess based on some of the personalities involved.
By the way, did anyone notice that newest Debian release (Lenny) includes Suhosin in PHP by default. It's there, want it or not. Something to be aware of when upgrading.