Bug 548260

Mike: 

libraries/blowfish.php also appears to be a bundled lib.

David: Where does libraries/blowfish.php come from (package name)?

Regarding tcpdf: I can't see that Fedora would provide that library anywhere
right now as a package.

Regarding tcpdf:
My understanding of the packaging guidelines (which could be flawed) is that it doesn't matter whether or not Fedora already offers the bundled library as a package, but rather whether or not it's a separate package. eg. it becomes incumbent on the packager to unbundle. 

To illustrate some of the problems tcpdf is actually included in two packages within Fedora already (and at least a third under review now) To illustrate some of the 'standard problems' that bundled libraries bring: 
Moodle is using v 1.53.0.TC023_PHP4
phpMyAdmin is using v. 2.2.002
upstream is at: 4.8.19

There is also a different (albeit compatible) license in play between phpMyAdmin and tcpdf. However, inclusion of tcpdf which bundles fonts seems at least on the surface to present a licensing challenge, as the fonts are licensed under the Bitstream Vera and Aver license (at least per the license file included) which at least appears to be non-GPL compatible. 


WRT to blowfish - it appears the original code was stripped from horde from reading the source, and this same encryption library appears in varying versions in: 
phpldapadmin
phpMyAdmin 
dokuwiki
horde

It does appear that phpmyadmin has committed changes to blowfish.php that haven't been upstreamed (effectively forking)

This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Reopening.

This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Tom, any suggestions regarding tcpdf and blowfish stuff?

tcpdf is... nasty. Bundled fonts embedded into the php files. I'm not sure there is a good way to unbundle the fonts in tcpdf.

I haven't looked at blowfish, but it seems like if they've forked, it might be worth considering for a bundled exception.

Personally, if this was my package, I'd just retire it and let it die a slow death.

Copied comment from https://bugzilla.redhat.com/show_bug.cgi?id=629214#c8:

Tom "spot" Callaway  2011-08-02 12:03:48 EDT
Well, it has TCPDF (LGPLv3+) bundled inside of it, and I think I've already
made my concerns about it clear (re: bundling of fonts in odd ways), but from a
strict licensing perspective, here's what I found:

* TCPDF (overall LGPLv3+, but bundles the following fonts):
 - Al-Mohanad (unknown license)
 - dejavu-*-fonts (Bitstream Vera and Public Domain, in Fedora)
 - gnu-free-fonts (GPLv2+ with font exception, in Fedora)
 - Zar Bold (GPLv2+)

It also has:

* JAMA (mix of Public Domain and PHP), closest thing to an upstream I could
find was here: http://php.livejournal.com/270125.html
* OLE/PPS (PHP) derived from,OLE::Storage_Lite
* PclZip (GPL+ or LGPLv2+)

The rest is LGPLv2+.

Excluding the fonts, there are no licensing compatibility concerns, and I'm not
going to give myself a headache and consider the license compatibility issues
with embedded fonts in the php code to the rest of the php code. The notable
exception is Al-Mohanad, which either needs to have its license identified or
simply removed.

So, in conclusion: Bundling galore, including particularly nasty TCPDF, but
licensing is okay at: "LGPLv2+ and LGPLv3+ and PHP", assuming that the fonts
are unbundled (if even possible, it may not be) and Al-Mohanad is removed.

There's a lot of assumptions in there. TCPDF is going to be a holy terror to
package properly.

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Remi packed php-tcpdf

http://koji.fedoraproject.org/koji/packageinfo?packageID=16199

Remi packed php-tcpdf

http://koji.fedoraproject.org/koji/packageinfo?packageID=16199

repoquery -q php-tcpdf\* --nvr
php-tcpdf-6.0.024-1.fc19
php-tcpdf-dejavu-lgc-sans-fonts-6.0.024-1.fc19
php-tcpdf-dejavu-lgc-sans-mono-fonts-6.0.024-1.fc19
php-tcpdf-dejavu-lgc-serif-fonts-6.0.024-1.fc19
php-tcpdf-dejavu-sans-fonts-6.0.024-1.fc19
php-tcpdf-dejavu-sans-mono-fonts-6.0.024-1.fc19
php-tcpdf-dejavu-serif-fonts-6.0.024-1.fc19
php-tcpdf-gnu-free-mono-fonts-6.0.024-1.fc19
php-tcpdf-gnu-free-sans-fonts-6.0.024-1.fc19
php-tcpdf-gnu-free-serif-fonts-6.0.024-1.fc19

To unbundle tcpdf and use system one, you just need to update the vendor_config.php with 

    -e "/'TCPDF_INC'/s@./libraries/tcpdf/tcpdf.php@%{_datadir}/php/tcpdf/tcpdf.php@" \

And add:

Requires:  php-tcpdf
Requires:  php-tcpdf-dejavu-sans-fonts

ppMyAdmin version 4.1.0 is the first version to support tcpdf 6.0.x (wihtout patch).

phpMyAdmin-4.2.6-1.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/phpMyAdmin-4.2.6-1.fc20

phpMyAdmin-4.2.6-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/phpMyAdmin-4.2.6-1.fc19

phpMyAdmin-4.2.6-1.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/phpMyAdmin-4.2.6-1.el6

Package phpMyAdmin-4.2.6-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing phpMyAdmin-4.2.6-1.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1940/phpMyAdmin-4.2.6-1.el6
then log in and leave karma (feedback).

phpMyAdmin-4.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

phpMyAdmin-4.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

phpMyAdmin-4.0.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.