Bug 176459

Summary: RFE: php-pear bundles unnecessary packages in main RPM; slim it down?
Product: Red Hat Enterprise Linux 4 Reporter: Greg Swallow <greg>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED NEXTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: jhughes, joshkel
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-02-03 08:55:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
patch for php.spec none

Description Greg Swallow 2005-12-23 00:50:57 UTC
Just wondering if there is a possibility that this bug could be fixed in RHEL4 
as well.  I use the webmail package Horde (which I know is not supported, but 
am hoping it ends up in Fedora Extras soon :-).  Horde requires a newer version 
of the DB and Mail pear modules that in RHEL4 are bundled in php-pear, but are 
not in rawhide.  Basically, for the same reasons that this was fixed in Rawhide 
in the cloned bug.

Should be a simple fix for RHEL4 - It looks to me like the tar files for DB, 
Mail, HTTP, Net_SMTP, Net_Socket and XML_Parser can just be removed from 
the /pear/packages folder in the php source tarball.


+++ This bug was initially created as a clone of Bug #173808 +++

php-pear currently bundles a bunch of PEAR packages which don't superficially
appear to be "core" to PEAR. Packages bundled up in php-pear can't be upgraded
(in a nice RPM way) without rebuilding the whole bundle. This of course also
means that there is more stuff to distribute (a whole bundle) in the event of a
bug in one single package.

I would suggest that php-pear includes the absolute minimum of bundled PEAR
packages, and all other PEAR modules are packaged separately, so as not to
unnecessarily inhibit the upgrading of individual PEAR modules. The minimal set
installed by the PEAR bootstrap on http://go-pear.org/ seems to be:

PEAR
Archive_Tar
XML_RPC
Console_Getopt
OS_Guess

which is considerably smaller than the set of packages that the current php-pear
bundle provides (which currently includes Net_SMTP, Net_Socket,
Net_UserAgent_Detect, HTTP, HTML_Template_IT, DB and XML_Parser in addition to
the above)

-- Additional comment from jorton on 2005-12-01 17:22 EST --
Done in php-pear-1.4.5-2.  I couldn't find OS_Guess so I guess it's legacy.

-- Additional comment from bugs.uk on 2005-12-02 02:09 EST --
I had a look into it and it seems OS_Guess is not a "real" package, just a
script which is internal to PEAR but named using the same conventions as normal
packages. Unlike the other bundled packages, it's not available separately on
pear.php.net.

Comment 1 Johnny Hughes 2005-12-23 13:06:37 UTC
To be honest, I think php-pear should contain only Pear.

All those other items (except OS_Guess) can be updated seperately and at some
time for software compatibility might need to be.

I believe that php-pear should be handled exactly like perl ... the main package
contains only perl, and all add-on modules are packaged seperately.

Comment 2 Greg Swallow 2005-12-23 17:41:14 UTC
Archive_Tar, Console_Getopt and XML_RPC are dependancies of PEAR - see 
http://pear.php.net/package/PEAR/download/

Perl also provides more than just 'perl' - check 'rpm -q --provides perl'

Comment 3 Greg Swallow 2005-12-23 17:56:03 UTC
Sorry, I think I misunderstood what you meant.  If you're asking they be 
packaged in 4 rpms instead of 1, then I think that's an arguement best 
discussed on the Fedora bug report of which this is a clone of, or starting a 
new one.

Comment 4 Greg Swallow 2005-12-24 00:39:59 UTC
Created attachment 122567 [details]
patch for php.spec

Comment 5 Greg Swallow 2005-12-24 00:48:20 UTC
The patch aboove works to build a php-pear without the extra modules. 

It looks like the unneeded modules were removed in php-4.3.11 - 
http://marc.theaimsgroup.com/?l=php-dev&m=111454931632260&w=2 - "It was 
becoming increasingly difficult to maintain the bundles, and because older 
versions were often bundled, it introduced potential security risks as well."



Comment 6 Greg Swallow 2006-02-03 07:52:09 UTC
Changing severity to 'security', as that's the gist of the mailing list post 
from the PHP developer above.  I looked but didn't find specific cases of 
security issues with the bundled versions of DB, Mail, HTTP, Net_SMTP, 
Net_Socket and XML_Parser, but is it not better to be as proactive as they were?

Comment 7 Joe Orton 2006-02-03 08:55:08 UTC
Thanks for filing the bug.

PEAR packages cannot be removed from php-pear in an update to RHEL4 since this
would break working configurations (which may rely on the presence of said
packages).  In a future RHEL release, the changes made in Fedora Core to split
out and strip down the php-pear package will be picked up.