Differences between revisions 1 and 7 (spanning 6 versions)
Revision 1 as of 2004-03-27 17:24:42
Size: 68
Editor: anonymous
Comment:
Revision 7 as of 2007-05-05 20:13:47
Size: 5849
Editor: SeanFinney
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
## Auto-converted by kwiki2moinmoin v2005-10-07
See [[["PHPWiki"]]]
= PHP and Debian =

''note'': this page is a work in progress.

[[TableOfContents()]]

== Overview ==

From the package description:

{{{
  PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
  from C, Java and Perl with a couple of unique PHP-specific features thrown
  in. The goal of the language is to allow web developers to write dynamically
  generated pages quickly.
}}}

This page contains information and links helpful for users and packagers of PHP software in debian. It also contains any errata for the latest stable release of debian. it is not meant to supercede documentation provided in the php package, nor is it meant as a general reference for programming in php. for those see the [#moreinfo Further Information] section.

== The first place you should go for information ==

{{{/usr/share/doc/php*}}}. Most notably, {{{README.Debian}}} and {{{NEWS.Debian}}}, just like any other package. Note that if you are visiting this page while following the directions in that file, abort now because you're in an infinite loop :)


== How PHP is packaged in Debian ==

=== Available versions ===

please check [http://packages.debian.org the debian PTS] for specific version information

|| '''release''' || '''php 4''' || '''php 5''' || '''php 6''' ||
|| sarge || yes || backports || no ||
|| etch || yes || yes || no ||
|| lenny (planned) || [:PHP4Removal:no] || yes || unknown ||


=== Available packages ===

for every N where N is a php major version, a metapackage phpN exists which will require at least one functioning php server engine installed (i.e. libapache2-mod-php4, php5-cgi, etc). beyond this, there's always

{{{apt-cache search php}}}

...will give you a long list of php related packages. for more specifics on the package naming schemes, you should check the php draft policy in [#moreinfo Further Information].

=== Configuration layout ===

For each major release N of php (where N is 4 or 5), each of the 4 SAPI's (apache/apache2/cgi/cli) have a different
central configuration file {{{/etc/phpN/$SAPI/php.ini}}}.

Additionally, each SAPI is configured with the compile-time option

{{{
        --with-config-file-scan-dir=/etc/phpN/$SAPI/conf.d
}}}

which for all SAPI's is actually a symlink pointing to a central
directory {{{/etc/phpN/conf.d}}}. Any file found in this directory ending
in .ini will be treated as a configuration file by the php SAPI.

The rationale with this method is that each SAPI can thus be
identically configured with a minimal amount of conffile handling,
but at the same time if you want to have SAPI-specific configuration,
you can just remove the symlink.


== For packagers of PHP applications/modules/libraries ==

you should consider taking a look at the [http://webapps-common.alioth.debian.org/draft-php/html/ php draft policy]. there's also a mailing list for web applications packagers, debian-webapps@lists.debian.org . while the list is technically for webapp packaging-related issues, you should feel welcome to post purely php-packaging-related questions as well, as there is a significant overlap in the audience and you're more likely to get a response from here than from mailing the php packagers.

== For those interested in helping with PHP in Debian ==

the first thing you should do is send an email to the debian php maintainer's list, pkg-php-maint@lists.alioth.debian.org . help is often needed and always appreciated.

== Notes on PHP and security ==

it's highly recommended that you read README.Debian.security in /usr/share/doc/php*.

in short, security support for php places a high load on the package maintainers, because of the volume of security-related issues and the difficulty of working with the upstream authors in finding the fixes. as such, php security issues are typically triaged with different priorities based on the particulars of the issue.

 * issues involving features that are broken as designed (safe mode, register globals, etc) are completely ignored
 * issues that require a malicious local user (unless there are compelling reasons otherwise) are ignored.
 * issues involving unsafe application usage (applications not filtering input before passing to certain functions) are usually given a low priority or sometimes even ignored in favor of reporting bugs against the offending applications
 * issues involving remote code execution (buffer overflows, code inclusion, etc) are given the highest priority

the debian php maintainers work fairly closely with the debian security (esp. secure-testing) teams, as well as the ubuntu php maintainers, so you can be generally assured that properly reported bugs tagged as security-relevant will be handled as promptly and transparently as possible.

the debian php maintainers are currently considering application of the suhosin php patches to the php core engine for lenny.

== Etch errata ==

after the release of etch, any miscellaneous information/documentation/errata for the php version in etch shall be documented here. note that this ''is not a place for bug reports'', though you should feel free to reference BTS reports if appropriate.

[[Anchor(moreinfo)]]
== Further Information ==

 * /usr/share/doc/php*
 * [http://www.php.net official php homepage]
 * [http://php-security.org php-security.org], authors of hardened php and frequent auditors of php's security.
 * [http://bugs.debian.org/src:php4 bugs against php4 source package]
 * [http://bugs.debian.org/src:php5 bugs against php5 source package]
 * [http://webapps-common.alioth.debian.org/draft-php/html/ draft php packaging policy]
 * debian php maintainer's list: pkg-php-maint@lists.alioth.debian.org
 * debian-webapps mailing list: debian-webapps@lists.debian.org

PHP and Debian

note: this page is a work in progress.

?TableOfContents()

Overview

From the package description:

  PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
  from C, Java and Perl with a couple of unique PHP-specific features thrown
  in. The goal of the language is to allow web developers to write dynamically
  generated pages quickly.

This page contains information and links helpful for users and packagers of PHP software in debian. It also contains any errata for the latest stable release of debian. it is not meant to supercede documentation provided in the php package, nor is it meant as a general reference for programming in php. for those see the [#moreinfo Further Information] section.

The first place you should go for information

/usr/share/doc/php*. Most notably, README.Debian and NEWS.Debian, just like any other package. Note that if you are visiting this page while following the directions in that file, abort now because you're in an infinite loop :)

How PHP is packaged in Debian

Available versions

please check [http://packages.debian.org the debian PTS] for specific version information

release

php 4

php 5

php 6

sarge

yes

backports

no

etch

yes

yes

no

lenny (planned)

[:PHP4Removal:no]

yes

unknown

Available packages

for every N where N is a php major version, a metapackage phpN exists which will require at least one functioning php server engine installed (i.e. libapache2-mod-php4, php5-cgi, etc). beyond this, there's always

apt-cache search php

...will give you a long list of php related packages. for more specifics on the package naming schemes, you should check the php draft policy in [#moreinfo Further Information].

Configuration layout

For each major release N of php (where N is 4 or 5), each of the 4 SAPI's (apache/apache2/cgi/cli) have a different central configuration file /etc/phpN/$SAPI/php.ini.

Additionally, each SAPI is configured with the compile-time option

        --with-config-file-scan-dir=/etc/phpN/$SAPI/conf.d

which for all SAPI's is actually a symlink pointing to a central directory /etc/phpN/conf.d. Any file found in this directory ending in .ini will be treated as a configuration file by the php SAPI.

The rationale with this method is that each SAPI can thus be identically configured with a minimal amount of conffile handling, but at the same time if you want to have SAPI-specific configuration, you can just remove the symlink.

For packagers of PHP applications/modules/libraries

you should consider taking a look at the [http://webapps-common.alioth.debian.org/draft-php/html/ php draft policy]. there's also a mailing list for web applications packagers, debian-webapps@lists.debian.org . while the list is technically for webapp packaging-related issues, you should feel welcome to post purely php-packaging-related questions as well, as there is a significant overlap in the audience and you're more likely to get a response from here than from mailing the php packagers.

For those interested in helping with PHP in Debian

the first thing you should do is send an email to the debian php maintainer's list, pkg-php-maint@lists.alioth.debian.org . help is often needed and always appreciated.

Notes on PHP and security

it's highly recommended that you read README.Debian.security in /usr/share/doc/php*.

in short, security support for php places a high load on the package maintainers, because of the volume of security-related issues and the difficulty of working with the upstream authors in finding the fixes. as such, php security issues are typically triaged with different priorities based on the particulars of the issue.

  • issues involving features that are broken as designed (safe mode, register globals, etc) are completely ignored
  • issues that require a malicious local user (unless there are compelling reasons otherwise) are ignored.
  • issues involving unsafe application usage (applications not filtering input before passing to certain functions) are usually given a low priority or sometimes even ignored in favor of reporting bugs against the offending applications
  • issues involving remote code execution (buffer overflows, code inclusion, etc) are given the highest priority

the debian php maintainers work fairly closely with the debian security (esp. secure-testing) teams, as well as the ubuntu php maintainers, so you can be generally assured that properly reported bugs tagged as security-relevant will be handled as promptly and transparently as possible.

the debian php maintainers are currently considering application of the suhosin php patches to the php core engine for lenny.

Etch errata

after the release of etch, any miscellaneous information/documentation/errata for the php version in etch shall be documented here. note that this is not a place for bug reports, though you should feel free to reference BTS reports if appropriate.

?Anchor(moreinfo)

Further Information