Removing web server dependencies from web apps
It's been a long time I'm thinking about writing a message like this one
to -devel. I hope I can convince others.
In many large installations, web servers are providing spaces in a chroot.
Myself, I use sbox (which I rewrote for a big part) to provide this to
my customers, so that each site that runs scripts (Perl, Python, Ruby or
PHP) can do so in a safe, secure, chroot environment. Since it would
otherwise take too much space to have a full debian chroot for each
site, I use AUFS to provide it. So I have a template operating system,
on which there is PHP, Ruby, Python and Perl support, all running as CGI.
I know others are using tools like php-fpm to achieve the same thing.
Running sites in a chroot environment is increasingly important
considering how much security issues are regularly discovered.
The issue is that most PHP packages in Debian have dependencies on web
servers, most of the time with something like this:
Depends: apache2 | httpd, libapache2-mod-php5 | php5-cgi
Also, it's very surprising to see that we have dependencies for web
servers, but most of the time *not* for mysql-server, which is as much
needed in order to run these applications. I really don't understand the
logic behind this.
But since I would install these packages in the chroot template, I *do
not* want to install apache there. The result is that I can't install
popuplar packages like wordpress, gallery, phpbb3 and so on, unless I
rebuild them and remove the "apache2 | httpd" dependency. I suspect that
I wouldn't be the only one with the issue.
Remember that a strong dependency is *forcing* users to install things,
and when, like here, it's going the wrong way for what one would do,
it's just *bad* (tm).
So, my suggestion would be to actually *remove* the dependency to the
web server (and move it as a Recommends: if you see fit...). I would
strongly advocate for this as being written in our beloved policy.
What do others think about this?
Thomas Goirand (zigo)