Bug 176459 - RFE: php-pear bundles unnecessary packages in main RPM; slim it down?
RFE: php-pear bundles unnecessary packages in main RPM; slim it down?
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: php (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2005-12-22 19:50 EST by Greg Swallow
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-02-03 03:55:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
patch for php.spec (675 bytes, patch)
2005-12-23 19:39 EST, Greg Swallow
no flags Details | Diff

  None (edit)
Description Greg Swallow 2005-12-22 19:50:57 EST
Just wondering if there is a possibility that this bug could be fixed in RHEL4 
as well.  I use the webmail package Horde (which I know is not supported, but 
am hoping it ends up in Fedora Extras soon :-).  Horde requires a newer version 
of the DB and Mail pear modules that in RHEL4 are bundled in php-pear, but are 
not in rawhide.  Basically, for the same reasons that this was fixed in Rawhide 
in the cloned bug.

Should be a simple fix for RHEL4 - It looks to me like the tar files for DB, 
Mail, HTTP, Net_SMTP, Net_Socket and XML_Parser can just be removed from 
the /pear/packages folder in the php source tarball.

+++ This bug was initially created as a clone of Bug #173808 +++

php-pear currently bundles a bunch of PEAR packages which don't superficially
appear to be "core" to PEAR. Packages bundled up in php-pear can't be upgraded
(in a nice RPM way) without rebuilding the whole bundle. This of course also
means that there is more stuff to distribute (a whole bundle) in the event of a
bug in one single package.

I would suggest that php-pear includes the absolute minimum of bundled PEAR
packages, and all other PEAR modules are packaged separately, so as not to
unnecessarily inhibit the upgrading of individual PEAR modules. The minimal set
installed by the PEAR bootstrap on http://go-pear.org/ seems to be:


which is considerably smaller than the set of packages that the current php-pear
bundle provides (which currently includes Net_SMTP, Net_Socket,
Net_UserAgent_Detect, HTTP, HTML_Template_IT, DB and XML_Parser in addition to
the above)

-- Additional comment from jorton@redhat.com on 2005-12-01 17:22 EST --
Done in php-pear-1.4.5-2.  I couldn't find OS_Guess so I guess it's legacy.

-- Additional comment from bugs@timj.co.uk on 2005-12-02 02:09 EST --
I had a look into it and it seems OS_Guess is not a "real" package, just a
script which is internal to PEAR but named using the same conventions as normal
packages. Unlike the other bundled packages, it's not available separately on
Comment 1 Johnny Hughes 2005-12-23 08:06:37 EST
To be honest, I think php-pear should contain only Pear.

All those other items (except OS_Guess) can be updated seperately and at some
time for software compatibility might need to be.

I believe that php-pear should be handled exactly like perl ... the main package
contains only perl, and all add-on modules are packaged seperately.
Comment 2 Greg Swallow 2005-12-23 12:41:14 EST
Archive_Tar, Console_Getopt and XML_RPC are dependancies of PEAR - see 

Perl also provides more than just 'perl' - check 'rpm -q --provides perl'
Comment 3 Greg Swallow 2005-12-23 12:56:03 EST
Sorry, I think I misunderstood what you meant.  If you're asking they be 
packaged in 4 rpms instead of 1, then I think that's an arguement best 
discussed on the Fedora bug report of which this is a clone of, or starting a 
new one.
Comment 4 Greg Swallow 2005-12-23 19:39:59 EST
Created attachment 122567 [details]
patch for php.spec
Comment 5 Greg Swallow 2005-12-23 19:48:20 EST
The patch aboove works to build a php-pear without the extra modules. 

It looks like the unneeded modules were removed in php-4.3.11 - 
http://marc.theaimsgroup.com/?l=php-dev&m=111454931632260&w=2 - "It was 
becoming increasingly difficult to maintain the bundles, and because older 
versions were often bundled, it introduced potential security risks as well."

Comment 6 Greg Swallow 2006-02-03 02:52:09 EST
Changing severity to 'security', as that's the gist of the mailing list post 
from the PHP developer above.  I looked but didn't find specific cases of 
security issues with the bundled versions of DB, Mail, HTTP, Net_SMTP, 
Net_Socket and XML_Parser, but is it not better to be as proactive as they were?
Comment 7 Joe Orton 2006-02-03 03:55:08 EST
Thanks for filing the bug.

PEAR packages cannot be removed from php-pear in an update to RHEL4 since this
would break working configurations (which may rely on the presence of said
packages).  In a future RHEL release, the changes made in Fedora Core to split
out and strip down the php-pear package will be picked up.

Note You need to log in before you can comment on or make changes to this bug.