PHP and Debian
note: this page is a work in progress.
PHP and Debian
- The first place you should go for information
- How PHP is packaged in Debian
- For packagers of PHP applications/modules/libraries
- For those interested in helping with PHP in Debian
- Notes on PHP and security
- Jessie Testing errata
- Wheezy 7 errata
- Squeeze 6 errata
- Notes on Floating Point Rounding
- Proposed changes
- Further Information
From the package description:
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to allow web developers to write dynamically generated pages quickly.
This page contains information and links helpful for users and packagers of PHP software in Debian. It also contains any errata for the latest stable release of Debian. It is not meant to supercede documentation provided in the PHP packages, nor is it meant as a general reference for programming in PHP. For those see the Further Information section.
The first place you should go for information
/usr/share/doc/php*. Most notably, README.Debian and NEWS.Debian, just like any other package. Note that if you are visiting this page while following the directions in that file, abort now because you're in an infinite loop
How PHP is packaged in Debian
Please check the Debian PTS for specific version information.
For every N where N is a php major version, a metapackage phpN exists which will require at least one functioning php server engine installed (i.e. libapache2-mod-php5, php5-cgi, etc). Beyond this, there's always:
apt-cache search php
...will give you a long list of php related packages. For more specifics on the package naming schemes, you should check the PHP draft policy in Further Information.
For each major release N of PHP (where N is 4 or 5), each of the 4 SAPI's (apache/apache2/cgi/cli) have a different central configuration file /etc/phpN/$SAPI/php.ini.
Additionally, each SAPI is configured with the compile-time option
which for all SAPI's is actually a symlink pointing to a central directory /etc/phpN/conf.d. Any file found in this directory ending in .ini will be treated as a configuration file by the PHP SAPI.
The rationale with this method is that each SAPI can thus be identically configured with a minimal amount of conffile handling, but at the same time if you want to have SAPI-specific configuration, you can just remove the symlink.
For packagers of PHP applications/modules/libraries
You should consider taking a look at the PHP draft policy. There's also a mailing list for web applications packagers, firstname.lastname@example.org . While the list is technically for webapp packaging-related issues, you should feel welcome to post purely PHP-packaging-related questions as well, as there is a significant overlap in the audience and you're more likely to get a response from here than from mailing the PHP packagers.
For those interested in helping with PHP in Debian
The first thing you should do is send an email to the Debian PHP maintainer's list, email@example.com. Help is often needed and always appreciated.
Notes on PHP and security
It's highly recommended that you read README.Debian.security in /usr/share/doc/php*.
In short, security support for PHP places a high load on the package maintainers, because of the volume of security-related issues and the difficulty of working with the upstream authors in finding the fixes. As such, PHP security issues are typically triaged with different priorities based on the particulars of the issue.
- issues involving features that are broken as designed (safe mode, register globals, etc) are completely ignored
- issues that require a malicious local user (unless there are compelling reasons otherwise) are ignored.
- issues involving unsafe application usage (applications not filtering input before passing to certain functions) are usually given a low priority or sometimes even ignored in favor of reporting bugs against the offending applications
- issues involving remote code execution (buffer overflows, code inclusion, etc) are given the highest priority
The Debian PHP maintainers work fairly closely with the Debian security (esp. secure-testing) teams, as well as the Ubuntu PHP maintainers, so you can be generally assured that properly reported bugs tagged as security-relevant will be handled as promptly and transparently as possible.
As of version 5.2.4-1 the suhosin patch is enabled by default in Debian PHP5 packages.
Jessie Testing errata
After the release of Jessie, any miscellaneous information/documentation/errata for the PHP version in Jessie shall be documented here. Note that this is not a place for bug reports, though you should feel free to reference BTS reports if appropriate.
Wheezy 7 errata
Wheezy 7 is now Stable. No errata has been logged here for it.
Squeeze 6 errata
Squeeze 6 is now Oldstable within the security support window. No errata has been logged here for it.
Notes on Floating Point Rounding
See PHP/Rounding for some discussion of why floating point rounding does not behave as expected.
New/Better extensions manager
At some point between Sarge and Etch the PHP packages provide a new configuration layout. This new layout makes it easier for extensions to install their configuration files without having to modify the php.ini files.
The new extensions manager was first proposed in the pkg-php-maint list in May.
This new extensions manager provides a different layout similar to the way Apache/2 (in Debian) handles the sites and modules. The main advantage of this new layout is that an extension can be enabled/disabled on a given SAPI but keep it enabled/disabled on other SAPI's.
The new proposed layout looks like:
/etc/php5 /conf.d /bar.ini /foo.ini <------- /cgi | symbolic link to /conf.d | /etc/php5/conf.d/foo.ini /foo.ini - /cli /conf.d /apache2 /conf.d
In the above example the foo extension would only be enabled for in the CGI SAPI, rather than being enabled in all SAPI's.
In order to manage all the linking two new tools are provided: php5enext and php5disext.
Using the same example above, after executing
# php5enext all bar
The directories would look like:
/etc/php5 /conf.d /bar.ini <---------- - - /foo.ini <------- | | | /cgi | | | | /conf.d | | | | /foo.ini - | | | /bar.ini ---- | | /cli | | /conf.d | | /bar.ini ------ | /apache2 | /conf.d | /bar.ini --------
Meaning that bar.ini will be parsed by all known SAPIs (apache2, cgi, cli).
Status of the proposition
At the moment some work is being done on the Debian PHP Maintainers SVN repository.
Responsible of the proposition
The person you should contact/blame for this proposition/mess is Raphael Geissert (me ;-)).
Impact on existing extensions
The next extension manager requires the postinst and postrm scripts to be created.
Example postinst, shell, script:
# ... # Enable extension on all SAPIs: if [ -x /usr/sbin/php5enext ]; then /usr/sbin/php5enext all FOO quiet nonfatal fi
Example postrm, shell, script:
# ... # Disable extension on all SAPIs: if [ -x /usr/sbin/php5disext ]; then /usr/sbin/php5disext all FOO quiet nonfatal fi
Upgrading SAPIs to the new layout
The new SAPI packages would upgrade their old directory layout to the new one.
/etc/php5 /conf.d <------- /cgi | symbolic link /conf.d ----
/etc/php5 /conf.d /cgi /conf.d // Each SAPI has it's own conf.d directory
Upgrading extensions to the new layout
At the moment the SAPI packages are upgraded they will remove the $SAPI/conf.d symlink and thus disabling all the extensions.
Each, existing, extension will then have to manually upgrade by calling the php5enext script.
In other words: if an extension is not updated to use the new extensions manager it will be disabled on all SAPI's at the moment SAPI's are upgraded. The reason for this is because of a situation where broken symlinks would be kept (see this message by Steve)
php-security.org, authors of hardened php and frequent auditors of php's security.