Re: PHP extensions FTBFS in jessie, c.f. #805222

To: debian-lts@lists.debian.org
Subject: Re: PHP extensions FTBFS in jessie, c.f. #805222
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 19 Sep 2019 13:26:19 -0400
Message-id: <[🔎] 20190919172619.jsvzrzitcss66x7g@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] 20190915112924.fk6dktegfzpdqvo2@connexer.com>
References: <[🔎] 20190907153446.e4r7rrrvyzff2x5a@connexer.com> <[🔎] 20190915112924.fk6dktegfzpdqvo2@connexer.com>

As I have not received any feedback on this I am going to assume that I
have taken the correct approach and I will be uploading php5 later
today, followed by a clean build then upload of php-pecl-http tomorrow
(utilizing the new php5 once it is available in the archive).

Regards,

-Roberto

On Sun, Sep 15, 2019 at 07:29:24AM -0400, Roberto C. Sánchez wrote:
> Hello all,
> 
> I wanted to follow-up on the issue of building PHP extensions in jessie.
> 
> On Sat, Sep 07, 2019 at 11:34:46AM -0400, Roberto C. Sánchez wrote:
> > Hello all,
> > 
> > In working on an update for php-pecl-http I discovered that (all? nearly
> > all?) PHP extensions fail to build in jessie because of a bug in php5.
> > Specifically, the bug is #805222.
> > 
> > It appears that jessie was originally released with PHP 5.6.7 and the
> > bug in question became known when PHP 5.6.16 was in unstable.  A fix was
> > made to php5 and the separate php-pear package in unstable, but fixes
> > were never made to jessie while it was stable or oldstable.
> > 
> > It seems that this update of php-pecl-http is the first PECL extension
> > security update in jessie, which is why this problem has not previously
> > appeared.  Though, the last comment on #805222 indicates that at least
> > one user attempted to rebuild a PECL extension in jessie/stable and
> > encountered the failure.  No action was taken on his follow-up to the
> > bug.
> > 
> In exploring the history of php5 in unstable, version 5.6.16+dfsg-3
> contained this changelog entry:
> 
>   * Revert PEAR version to last working version from PHP 5.6.14
>     (Closes: #805222)
> 
> Based on that I downloaded the 5.6.14 release archive from upstream and
> used that to replace the PEAR in the jessie version in the same way that
> Ondřej did in that version.
> 
> > I have added php5 to dla-needed.txt and, unless there are objections, it
> > is my intention to begin working on an update that addresses this bug in
> > jessie.  I would then test it in an environment where I could attempt to
> > build php-pecl-http to 1) verify that php5 is actually fixed with regard
> > to #805222, and 2) that php-pecl-http can be made to build from source.
> > 
> After replacing PEAR as described above, I build php5, installed it in a
> jessie chroot and then was able to successfully build php-pecl-http.
> 
> My proposed course of action is:
> 
> - Upload a php5 update with this change:
> 
> php5 (5.6.40+dfsg-0+deb8u6) jessie-security; urgency=high
> 
>   * Non-maintainer upload by the LTS Team.
>   * Revert PEAR version to last working version from PHP 5.6.14
>     (Closes: #805222)
> 
>  -- Roberto C. Sanchez <roberto@debian.org>  Sun, 15 Sep 2019 07:02:48 -0400
> 
> - Release a DLA describing the reason for the update/change
> - In addition to the CVE-2016-7398 patch to php-pecl-http, include this
>   change:
> 
> diff --git a/debian/control b/debian/control
> index 9e1da87..db7b4b3 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -3,8 +3,9 @@ Section: web
>  Priority: optional
>  Maintainer: Facundo Guerrero <guerremdq@gmail.com>
>  Uploaders: Ulises Vitulli <dererk@debian.org> 
> -Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev, dh-php5, 
> - pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, chrpath
> +Build-Depends: debhelper (>= 9), po-debconf, xsltproc, php5-dev (>= 5.6.40+dfsg-0+deb8u6), dh-php5, 
> + pkg-php-tools (>= 1.6), php5-raphf-dev, php5-propro-dev, libpcre3-dev, chrpath,
> + php-pear (>= 5.6.40+dfsg-0+deb8u6)
>  Standards-Version: 3.9.5
>  Homepage: http://pecl.php.net/package/pecl_http
> 
> - Proceed with the normal upload/advisory process for php-pecl-http
> 
> The main items where I would like to make sure I have not overlooked
> something important are:
> 
> - Does updating php5 in this way make sense/seem appropriate?
> - Does the change to Build-Depends in php-pecl-http seem
>   correct/necessary?
> 
> Unless I hear any objections or suggested alternatives I intend to go
> ahead with the steps outlined above late this week.
> 
> Regards,
> 
> -Roberto
> 
> -- 
> Roberto C. Sánchez

-- 
Roberto C. Sánchez

Reply to:

References:
- PHP extensions FTBFS in jessie, c.f. #805222
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: PHP extensions FTBFS in jessie, c.f. #805222
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: (E)LTS report for August
Next by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity
Previous by thread: Re: PHP extensions FTBFS in jessie, c.f. #805222
Next by thread: Re: since update 1.3.3.5-4+deb8u5 php ldap authentification failure
Index(es):
- Date
- Thread