Just wondering if there is a possibility that this bug could be fixed in RHEL4 as well. I use the webmail package Horde (which I know is not supported, but am hoping it ends up in Fedora Extras soon :-). Horde requires a newer version of the DB and Mail pear modules that in RHEL4 are bundled in php-pear, but are not in rawhide. Basically, for the same reasons that this was fixed in Rawhide in the cloned bug. Should be a simple fix for RHEL4 - It looks to me like the tar files for DB, Mail, HTTP, Net_SMTP, Net_Socket and XML_Parser can just be removed from the /pear/packages folder in the php source tarball. +++ This bug was initially created as a clone of Bug #173808 +++ php-pear currently bundles a bunch of PEAR packages which don't superficially appear to be "core" to PEAR. Packages bundled up in php-pear can't be upgraded (in a nice RPM way) without rebuilding the whole bundle. This of course also means that there is more stuff to distribute (a whole bundle) in the event of a bug in one single package. I would suggest that php-pear includes the absolute minimum of bundled PEAR packages, and all other PEAR modules are packaged separately, so as not to unnecessarily inhibit the upgrading of individual PEAR modules. The minimal set installed by the PEAR bootstrap on http://go-pear.org/ seems to be: PEAR Archive_Tar XML_RPC Console_Getopt OS_Guess which is considerably smaller than the set of packages that the current php-pear bundle provides (which currently includes Net_SMTP, Net_Socket, Net_UserAgent_Detect, HTTP, HTML_Template_IT, DB and XML_Parser in addition to the above) -- Additional comment from jorton on 2005-12-01 17:22 EST -- Done in php-pear-1.4.5-2. I couldn't find OS_Guess so I guess it's legacy. -- Additional comment from bugs.uk on 2005-12-02 02:09 EST -- I had a look into it and it seems OS_Guess is not a "real" package, just a script which is internal to PEAR but named using the same conventions as normal packages. Unlike the other bundled packages, it's not available separately on pear.php.net.
To be honest, I think php-pear should contain only Pear. All those other items (except OS_Guess) can be updated seperately and at some time for software compatibility might need to be. I believe that php-pear should be handled exactly like perl ... the main package contains only perl, and all add-on modules are packaged seperately.
Archive_Tar, Console_Getopt and XML_RPC are dependancies of PEAR - see http://pear.php.net/package/PEAR/download/ Perl also provides more than just 'perl' - check 'rpm -q --provides perl'
Sorry, I think I misunderstood what you meant. If you're asking they be packaged in 4 rpms instead of 1, then I think that's an arguement best discussed on the Fedora bug report of which this is a clone of, or starting a new one.
Created attachment 122567 [details] patch for php.spec
The patch aboove works to build a php-pear without the extra modules. It looks like the unneeded modules were removed in php-4.3.11 - http://marc.theaimsgroup.com/?l=php-dev&m=111454931632260&w=2 - "It was becoming increasingly difficult to maintain the bundles, and because older versions were often bundled, it introduced potential security risks as well."
Changing severity to 'security', as that's the gist of the mailing list post from the PHP developer above. I looked but didn't find specific cases of security issues with the bundled versions of DB, Mail, HTTP, Net_SMTP, Net_Socket and XML_Parser, but is it not better to be as proactive as they were?
Thanks for filing the bug. PEAR packages cannot be removed from php-pear in an update to RHEL4 since this would break working configurations (which may rely on the presence of said packages). In a future RHEL release, the changes made in Fedora Core to split out and strip down the php-pear package will be picked up.