Red Hat Bugzilla – Bug 176459
RFE: php-pear bundles unnecessary packages in main RPM; slim it down?
Last modified: 2007-11-30 17:07:22 EST
Just wondering if there is a possibility that this bug could be fixed in RHEL4
as well. I use the webmail package Horde (which I know is not supported, but
am hoping it ends up in Fedora Extras soon :-). Horde requires a newer version
of the DB and Mail pear modules that in RHEL4 are bundled in php-pear, but are
not in rawhide. Basically, for the same reasons that this was fixed in Rawhide
in the cloned bug.
Should be a simple fix for RHEL4 - It looks to me like the tar files for DB,
Mail, HTTP, Net_SMTP, Net_Socket and XML_Parser can just be removed from
the /pear/packages folder in the php source tarball.
+++ This bug was initially created as a clone of Bug #173808 +++
php-pear currently bundles a bunch of PEAR packages which don't superficially
appear to be "core" to PEAR. Packages bundled up in php-pear can't be upgraded
(in a nice RPM way) without rebuilding the whole bundle. This of course also
means that there is more stuff to distribute (a whole bundle) in the event of a
bug in one single package.
I would suggest that php-pear includes the absolute minimum of bundled PEAR
packages, and all other PEAR modules are packaged separately, so as not to
unnecessarily inhibit the upgrading of individual PEAR modules. The minimal set
installed by the PEAR bootstrap on http://go-pear.org/ seems to be:
which is considerably smaller than the set of packages that the current php-pear
bundle provides (which currently includes Net_SMTP, Net_Socket,
Net_UserAgent_Detect, HTTP, HTML_Template_IT, DB and XML_Parser in addition to
-- Additional comment from firstname.lastname@example.org on 2005-12-01 17:22 EST --
Done in php-pear-1.4.5-2. I couldn't find OS_Guess so I guess it's legacy.
-- Additional comment from email@example.com on 2005-12-02 02:09 EST --
I had a look into it and it seems OS_Guess is not a "real" package, just a
script which is internal to PEAR but named using the same conventions as normal
packages. Unlike the other bundled packages, it's not available separately on
To be honest, I think php-pear should contain only Pear.
All those other items (except OS_Guess) can be updated seperately and at some
time for software compatibility might need to be.
I believe that php-pear should be handled exactly like perl ... the main package
contains only perl, and all add-on modules are packaged seperately.
Archive_Tar, Console_Getopt and XML_RPC are dependancies of PEAR - see
Perl also provides more than just 'perl' - check 'rpm -q --provides perl'
Sorry, I think I misunderstood what you meant. If you're asking they be
packaged in 4 rpms instead of 1, then I think that's an arguement best
discussed on the Fedora bug report of which this is a clone of, or starting a
Created attachment 122567 [details]
patch for php.spec
The patch aboove works to build a php-pear without the extra modules.
It looks like the unneeded modules were removed in php-4.3.11 -
http://marc.theaimsgroup.com/?l=php-dev&m=111454931632260&w=2 - "It was
becoming increasingly difficult to maintain the bundles, and because older
versions were often bundled, it introduced potential security risks as well."
Changing severity to 'security', as that's the gist of the mailing list post
from the PHP developer above. I looked but didn't find specific cases of
security issues with the bundled versions of DB, Mail, HTTP, Net_SMTP,
Net_Socket and XML_Parser, but is it not better to be as proactive as they were?
Thanks for filing the bug.
PEAR packages cannot be removed from php-pear in an update to RHEL4 since this
would break working configurations (which may rely on the presence of said
packages). In a future RHEL release, the changes made in Fedora Core to split
out and strip down the php-pear package will be picked up.