Bug 548260

Summary: phpMyAdmin bundles tcpdf
Product: [Fedora] Fedora Reporter: David Nalley <david>
Component: phpMyAdminAssignee: Robert Scheck <redhat-bugzilla>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 19CC: cwickert, fedora, mmcgrath, redhat-bugzilla, sergio, shawn, tcallawa
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: phpMyAdmin- Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-30 03:00:24 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 504493, 959946    

Description David Nalley 2009-12-16 20:57:43 EST
phpMyAdmin bundles tcpdf (libraries/tcpdf) 

Bundled libraries require an exception from FESCo 
Comment 1 David Nalley 2009-12-16 22:42:00 EST

libraries/blowfish.php also appears to be a bundled lib.
Comment 2 Robert Scheck 2009-12-17 02:10:03 EST
David: Where does libraries/blowfish.php come from (package name)?
Comment 3 Robert Scheck 2009-12-17 02:11:51 EST
Regarding tcpdf: I can't see that Fedora would provide that library anywhere
right now as a package.
Comment 4 David Nalley 2009-12-17 08:37:43 EST
Regarding tcpdf:
My understanding of the packaging guidelines (which could be flawed) is that it doesn't matter whether or not Fedora already offers the bundled library as a package, but rather whether or not it's a separate package. eg. it becomes incumbent on the packager to unbundle. 

To illustrate some of the problems tcpdf is actually included in two packages within Fedora already (and at least a third under review now) To illustrate some of the 'standard problems' that bundled libraries bring: 
Moodle is using v 1.53.0.TC023_PHP4
phpMyAdmin is using v. 2.2.002
upstream is at: 4.8.19

There is also a different (albeit compatible) license in play between phpMyAdmin and tcpdf. However, inclusion of tcpdf which bundles fonts seems at least on the surface to present a licensing challenge, as the fonts are licensed under the Bitstream Vera and Aver license (at least per the license file included) which at least appears to be non-GPL compatible. 

WRT to blowfish - it appears the original code was stripped from horde from reading the source, and this same encryption library appears in varying versions in: 

It does appear that phpmyadmin has committed changes to blowfish.php that haven't been upstreamed (effectively forking)
Comment 5 Bug Zapper 2010-11-03 23:09:08 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 6 Bug Zapper 2010-12-03 20:33:41 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.
Comment 7 Christoph Wickert 2010-12-13 14:13:40 EST
Comment 8 Fedora Admin XMLRPC Client 2011-04-05 04:59:44 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Robert Scheck 2011-07-26 20:18:49 EDT
Tom, any suggestions regarding tcpdf and blowfish stuff?
Comment 10 Tom "spot" Callaway 2011-07-28 15:27:23 EDT
tcpdf is... nasty. Bundled fonts embedded into the php files. I'm not sure there is a good way to unbundle the fonts in tcpdf.

I haven't looked at blowfish, but it seems like if they've forked, it might be worth considering for a bundled exception.

Personally, if this was my package, I'd just retire it and let it die a slow death.
Comment 11 Robert Scheck 2011-09-17 20:45:15 EDT
Copied comment from https://bugzilla.redhat.com/show_bug.cgi?id=629214#c8:

Tom "spot" Callaway  2011-08-02 12:03:48 EDT
Well, it has TCPDF (LGPLv3+) bundled inside of it, and I think I've already
made my concerns about it clear (re: bundling of fonts in odd ways), but from a
strict licensing perspective, here's what I found:

* TCPDF (overall LGPLv3+, but bundles the following fonts):
 - Al-Mohanad (unknown license)
 - dejavu-*-fonts (Bitstream Vera and Public Domain, in Fedora)
 - gnu-free-fonts (GPLv2+ with font exception, in Fedora)
 - Zar Bold (GPLv2+)

It also has:

* JAMA (mix of Public Domain and PHP), closest thing to an upstream I could
find was here: http://php.livejournal.com/270125.html
* OLE/PPS (PHP) derived from,OLE::Storage_Lite
* PclZip (GPL+ or LGPLv2+)

The rest is LGPLv2+.

Excluding the fonts, there are no licensing compatibility concerns, and I'm not
going to give myself a headache and consider the license compatibility issues
with embedded fonts in the php code to the rest of the php code. The notable
exception is Al-Mohanad, which either needs to have its license identified or
simply removed.

So, in conclusion: Bundling galore, including particularly nasty TCPDF, but
licensing is okay at: "LGPLv2+ and LGPLv3+ and PHP", assuming that the fonts
are unbundled (if even possible, it may not be) and Al-Mohanad is removed.

There's a lot of assumptions in there. TCPDF is going to be a holy terror to
package properly.
Comment 12 Fedora End Of Life 2013-04-03 16:13:58 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
Comment 13 Sergio Monteiro Basto 2013-10-08 21:27:24 EDT
Remi packed php-tcpdf

Comment 14 Sergio Monteiro Basto 2013-10-08 21:46:47 EDT
Remi packed php-tcpdf


repoquery -q php-tcpdf\* --nvr
Comment 15 Remi Collet 2013-12-12 01:17:13 EST
To unbundle tcpdf and use system one, you just need to update the vendor_config.php with 

    -e "/'TCPDF_INC'/s@./libraries/tcpdf/tcpdf.php@%{_datadir}/php/tcpdf/tcpdf.php@" \

And add:

Requires:  php-tcpdf
Requires:  php-tcpdf-dejavu-sans-fonts

ppMyAdmin version 4.1.0 is the first version to support tcpdf 6.0.x (wihtout patch).
Comment 16 Fedora Update System 2014-07-19 14:26:14 EDT
phpMyAdmin-4.2.6-1.fc20 has been submitted as an update for Fedora 20.
Comment 17 Fedora Update System 2014-07-19 14:27:02 EDT
phpMyAdmin-4.2.6-1.fc19 has been submitted as an update for Fedora 19.
Comment 18 Fedora Update System 2014-07-19 14:27:35 EDT
phpMyAdmin-4.2.6-1.el6 has been submitted as an update for Fedora EPEL 6.
Comment 19 Fedora Update System 2014-07-20 13:59:34 EDT
Package phpMyAdmin-4.2.6-1.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing phpMyAdmin-4.2.6-1.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 20 Fedora Update System 2014-07-30 03:00:24 EDT
phpMyAdmin-4.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 Fedora Update System 2014-07-30 03:02:16 EDT
phpMyAdmin-4.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2014-08-07 07:45:37 EDT
phpMyAdmin- has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.