Suhosin is disbled by default in Debian, and soon Ubuntu - i hope

I think is the right aproach 

I don't believe in security by obscurity (this random patch it will secure your php ... riiight)

suhosin shouldn't be a patch it should be inside of php core or as module (think like the selinux situation) , So debian guys are right use the upstream unpatched version , let the core php devels decide if suhosin is right or wrong for them :less bugs , less patches , life is better = more security and fast updates in debian

Did i told you that upstream doesn't test suhosin patch when they run the tests ?
And with that patch php core is not the same , there are some bugs that i found related to it  (in debian/ubuntu) and it happens only when that invasive patch is applied