Differences between revisions 10 and 44 (spanning 34 versions)
Revision 10 as of 2009-03-07 22:08:40
Size: 9885
Editor: FranklinPiat
Comment: CategoryPermalink: referenced from libapache2-mod-php5/README.Debian.gz
Revision 44 as of 2021-11-26 08:36:18
Size: 7802
Editor: ?VincentCaron
Comment: Add Bullseye release info
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
#language en
~-[[DebianWiki/EditorGuide#translation|Translation(s)]]: none-~
----
Line 5: Line 8:
[[TableOfContents()]] <<TableOfContents>>
Line 18: Line 21:
This page contains information and links helpful for users and packagers of PHP software in debian. It also contains any errata for the latest stable release of debian. it is not meant to supercede documentation provided in the php package, nor is it meant as a general reference for programming in php. for those see the [#moreinfo Further Information] section. This page contains information and links helpful for users and packagers of PHP software in Debian. It also contains any errata for the latest stable release of Debian. It is not meant to supercede documentation provided in the PHP packages, nor is it meant as a general reference for programming in PHP. For those see the [[#Further_Information|Further Information]] section.
Line 22: Line 25:
{{{/usr/share/doc/php*}}}. Most notably, {{{README.Debian}}} and {{{NEWS.Debian}}}, just like any other package. Note that if you are visiting this page while following the directions in that file, abort now because  you're in an infinite loop :)
{{{/usr/share/doc/php*}}}. Most notably, {{{README.Debian}}} and {{{NEWS.Debian}}}, just like any other package. Note that if you are visiting this page while following the directions in that file, abort now because you're in an infinite loop :)
Line 29: Line 31:
please check [http://packages.debian.org the debian PTS] for specific version information Please check [[DebianPts:|the Debian PTS]] for specific version information.
Line 31: Line 33:
|| '''release''' || '''php 4''' || '''php 5''' || '''php 6''' ||
|| sarge || yes || backports || no ||
|| etch || yes || yes || no ||
|| lenny (planned) || [:PHP4Removal:no] || yes || unknown ||
|| '''Release''' || '''PHP version''' ||
|| [[DebianSqueeze|Squeeze 6]] || 5.3.3 ||
|| [[DebianWheezy|Wheezy 7]] || 5.4.45 ||
|| [[DebianJessie|Jessie 8]] || [[DebianPkg:jessie/php5|5.6.40]] ||
|| [[DebianStretch|Stretch 9]] || [[DebianPkg:stretch/php7.0|7.0]] ||
|| [[DebianBuster|Buster 10]] || [[DebianPkg:buster/php7.3|7.3]] ||
|| [[DebianBullseye|Bullseye 11]] || [[DebianPkg:bullseye/php7.4|7.4]] ||
|| [[DebianUnstable|unstable]] || [[DebianPkg:unstable/php8.0|8.0]] ||
Line 36: Line 42:
PHP 4 was provided up to [[DebianEtch]] ([[http://archive.debian.net/src:php4|php 4]]). It was removed and replaced by php5 in [[DebianLenny]]. PHP 7.0 was added in Stretch (php7.0).
Line 39: Line 46:
for every N where N is a php major version, a metapackage phpN exists which will require at least one functioning php server engine installed (i.e. libapache2-mod-php4, php5-cgi, etc).  beyond this, there's always Up until Debian 8 (Jessie), for every M where M is a php major version, a metapackage phpN exists which will require at least one functioning php server engine installed (i.e. libapache2-mod-php5, php5-cgi, etc).
Line 41: Line 48:
{{{apt-cache search php}}} Since Debian 9 (Stretch), for every M.N where M is a php major version and N is a php minor version, a metapackage php exists which will require a default phpM.N package which will require at least one functioning PHP server engine (i.e. libapache2-mod-php7.0, php7.0-fpm or php7.0-cgi)
Line 43: Line 50:
...will give you a long list of php related packages. for more specifics on the package naming schemes, you should check the php draft policy in [#moreinfo Further Information]. Beyond this, there's always:

{{{
$ apt search php
}}}

...w
ill give you a long list of php related packages. For more specifics on the package naming schemes, you should check the PHP draft policy in [[#moreinfo|Further Information]].

=== Developer access ===

See [[PHP/GitUsage]].
Line 47: Line 64:
For each major release N of php (where N is 4 or 5), each of the 4 SAPI's (apache/apache2/cgi/cli) have a different ==== Debian Jessie and below ====

For each major release N of PHP (where N is 4 or 5), each of the 4 SAPI's (apache/apache2/cgi/cli) have a different
Line 56: Line 75:
which for all SAPI's is actually a symlink pointing to a central
directory {{{/etc/phpN/conf.d}}}.
Any file found in this directory ending
in .ini will be treated as a configuration file by the php SAPI.
Any file found in this directory ending in .ini will be treated
as a configuration file by the PHP SAPI.
Line 60: Line 78:
The rationale with this method is that each SAPI can thus be
identically configured with a minimal amount of conffile handling,
but at the same time if you want to have SAPI-specific configuration,
you can just remove the symlink.
==== Debian Stretch and up ====
Line 65: Line 80:
For each major.minor release M.N of PHP (where M is 7 and N is 0, 1, ...), each of the SAPI's (apache2/cgi/fpm/cli/phpdbg/...) have a different central configuration file {{{/etc/php/M.N/$SAPI/php.ini}}}

Additionally, each SAPI is configured with the compile-time option

{{{
        --with-config-file-scan-dir=/etc/php/M.N/$SAPI/conf.d
}}}

Any file found in this directory ending in .ini will be treated
as a configuration file by the PHP SAPI.

The environment variable PHP_INI_SCAN_DIR can be set to override the compile-time option.
Line 68: Line 95:
you should consider taking a look at the [http://webapps-common.alioth.debian.org/draft-php/html/ php draft policy]. there's also a mailing list for web applications packagers, debian-webapps@lists.debian.org . while the list is technically for webapp packaging-related issues, you should  feel welcome to post purely php-packaging-related questions as well, as there is a significant overlap in the audience and you're more likely to get a response from here than from mailing the php packagers. You should consider taking a look at the [[http://webapps-common.alioth.debian.org/draft-php/html/|PHP draft policy]]. There's also a mailing list for web applications packagers, [[http://lists.debian.org/debian-webapps/|debian-webapps@lists.debian.org]] . While the list is technically for webapp packaging-related issues, you should feel welcome to post purely PHP-packaging-related questions as well, as there is a significant overlap in the audience and you're more likely to get a response from here than from mailing the PHP packagers.

The extensions are expected to install their configuration to {{{/etc/php/M.N/mods-available}}} for each M.N tuple the extension has been compiled with and enable the extension as appropriate using {{{/usr/lib/php/php-maintscript-helper}}}.

The easiest way how to package PECL extension is to use {{{dh-php}}} package and helpers included within this package.
Line 72: Line 103:
the first thing you should do is send an email to the debian php maintainer's list, pkg-php-maint@lists.alioth.debian.org . help is often needed and always appreciated. The first thing you should do is send an email to the Debian PHP maintainer's list, [[http://lists.alioth.debian.org/mailman/listinfo/pkg-php-maint|pkg-php-maint@lists.alioth.debian.org]]. Help is often needed and always appreciated.
See also the [[Teams/DebianPHPGroup|php group team]]
Line 76: Line 107:
it's highly recommended that you read README.Debian.security in /usr/share/doc/php*.   It's highly recommended that you read README.Debian.security in /usr/share/doc/php*.
Line 78: Line 109:
in short, security support for php places a high load on the package maintainers, because of the volume of security-related issues and the difficulty of working with the upstream authors in finding the fixes. as such, php security issues are typically triaged with different priorities based on the particulars of the issue. In short, security support for PHP places a high load on the package maintainers, because of the volume of security-related issues and the difficulty of working with the upstream authors in finding the fixes. As such, PHP security issues are typically triaged with different priorities based on the particulars of the issue.
Line 81: Line 112:
 * issues that require a malicious local user (unless there are compelling reasons otherwise) are ignored.    * issues that require a malicious local user (unless there are compelling reasons otherwise) are ignored.
Line 85: Line 116:
the debian php maintainers work fairly closely with the debian security (esp. secure-testing) teams, as well as the ubuntu php maintainers, so you can be generally assured that properly reported bugs tagged as security-relevant will be handled as promptly and transparently as possible. The Debian PHP maintainers work fairly closely with the Debian security (esp. secure-testing) teams, as well as the Ubuntu PHP maintainers, so you can be generally assured that properly reported bugs tagged as security-relevant will be handled as promptly and transparently as possible.
Line 87: Line 118:
As of version 5.2.4-1 of the suhosin patch is enabled by default on the PHP5 Packages shipped by Debian. == Errata ==
Line 89: Line 120:
== Etch errata == === Stretch 9 errata ===
Line 91: Line 122:
after the release of etch, any miscellaneous information/documentation/errata for the php version in etch shall be documented here. note that this ''is not a place for bug reports'', though you should feel free to reference BTS reports if appropriate. Stretch 9 is now stable. No errata has been logged here for it.
Line 93: Line 124:
== Proposed changes ==
=== New/Better extensions manager ===
At some point between Sarge and Etch the PHP packages provide a new configuration layout.
This new layout makes it easier for extensions to install their configuration files without having to modify the php.ini files.
=== Jessie 8 errata ===
Line 98: Line 126:
The new extensions manager was first proposed in the [http://lists.alioth.debian.org/pipermail/pkg-php-maint/2007-May/002549.html pkg-php-maint] list in May. Jessie 8 is now oldstable. No errata has been logged here for it.
Line 100: Line 128:
This new extensions manager provides a different layout similar to the way Apache/2 (in Debian) handles the sites and modules. The main advantage of this new layout is that an extension can be enabled/disabled on a given SAPI but keep it enabled/disabled on other SAPI's. === Wheezy 7 errata ===
Line 102: Line 130:
The new proposed layout looks like: Wheezy 7 is now oldoldStable. No errata has been logged here for it.
Line 104: Line 132:
{{{
/etc/php5
         /conf.d
                 /bar.ini
                 /foo.ini <-------
         /cgi | symbolic link to
                 /conf.d | /etc/php5/conf.d/foo.ini
                        /foo.ini -
         /cli
                 /conf.d
         /apache2
                 /conf.d
}}}
== Notes on Floating Point Rounding ==
Line 118: Line 134:
In the above example the foo extension would only be enabled for in the CGI SAPI, rather than being enabled in all SAPI's. See [[PHP/Rounding]] for some discussion of why floating point rounding does not behave as expected.
Line 120: Line 136:
In order to manage all the linking two new tools are provided: php5enext and php5disext.

Using the same example above, after executing
{{{
# php5enext all bar
}}}

The directories would look like:

{{{
/etc/php5
         /conf.d
                 /bar.ini <---------- - -
                 /foo.ini <------- | | |
         /cgi | | | |
                 /conf.d | | | |
                        /foo.ini - | | |
                        /bar.ini ---- | |
         /cli | |
                 /conf.d | |
                        /bar.ini ------ |
         /apache2 |
                 /conf.d |
                        /bar.ini --------
}}}

Meaning that bar.ini will be parsed by all ''known'' SAPIs (apache2, cgi, cli).

==== Status of the proposition ====
At the moment some work is being done on the ''Debian PHP Maintainers'' [http://svn.debian.org/wsvn/pkg-php/php5/branches/rg-extension-manager/ SVN repository].

==== Responsible of the proposition ====
The person you should contact/blame for this proposition/mess is [wiki:RaphaelGeissert Raphael Geissert] (me ;-)).


==== Impact on existing extensions ====

The next extension manager requires the postinst and postrm scripts to be created.

Example postinst, shell, script:
{{{
# ...

# Enable extension on all SAPIs:
if [ -x /usr/sbin/php5enext ]; then
 /usr/sbin/php5enext all FOO quiet nonfatal
fi
}}}

Example postrm, shell, script:
{{{
# ...

# Disable extension on all SAPIs:
if [ -x /usr/sbin/php5disext ]; then
 /usr/sbin/php5disext all FOO quiet nonfatal
fi
}}}

==== Upgrading SAPIs to the new layout ====

The new SAPI packages would upgrade their old directory layout to the new one.

E.g. from:

{{{
/etc/php5
         /conf.d <-------
         /cgi | symbolic link
             /conf.d ----
}}}

To:

{{{
/etc/php5
         /conf.d
         /cgi
             /conf.d // Each SAPI has it's own conf.d directory
}}}

==== Upgrading extensions to the new layout ====

At the moment the SAPI packages are upgraded they will remove the $SAPI/conf.d symlink and thus disabling all the extensions.

Each, existing, extension will then have to manually '''upgrade''' by calling the php5enext script.

In other words: if an extension is not updated to use the new extensions manager it will be disabled on all SAPI's at the moment SAPI's are upgraded. The reason for this is because of a situation where broken symlinks would be kept (see this [http://lists.alioth.debian.org/pipermail/pkg-php-maint/2007-May/002555.html message by Steve])

[[Anchor(moreinfo)]]
Line 213: Line 139:
 * [http://www.php.net official php homepage]
 * [http://php-security.org php-security.org], authors of hardened php and frequent auditors of php's security.
 * [http://bugs.debian.org/src:php4 bugs against php4 source package]
 * [http://bugs.debian.org/src:php5 bugs against php5 source package]
 * [http://webapps-common.alioth.debian.org/draft-php/html/ draft php packaging policy]
 * debian php maintainer's list: pkg-php-maint@lists.alioth.debian.org
 * debian-webapps mailing list: debian-webapps@lists.debian.org
 * [[http://www.php.net|Official php homepage]]
 * [[http://php-security.org|php-security.org]], authors of hardened php and frequent auditors of php's security.
 * [[DebianBug:src:php5|Bugs against php5 source package]]
 * [[http://webapps-common.alioth.debian.org/draft-php/html/|Draft PHP packaging policy]]
 * Debian PHP maintainer's list: pkg-php-maint@lists.alioth.debian.org ([[http://lists.alioth.debian.org/pipermail/pkg-php-maint/|Browse the list]])
 * Debian webapps mailing list: debian-webapps@lists.debian.org ([[http://lists.debian.org/debian-webapps/|Browse the list]])
Line 221: Line 146:
##This page is referenced from /usr/share/doc/libapache2-mod-php5/README.Debian.gz
CategoryPermalink
## This page is referenced from /usr/share/doc/php5-common/README.Debian.gz
CategoryPermalink  CategoryProgramming

Translation(s): none


PHP and Debian

note: this page is a work in progress.

Overview

From the package description:

  PHP is an HTML-embedded scripting language. Much of its syntax is borrowed
  from C, Java and Perl with a couple of unique PHP-specific features thrown
  in. The goal of the language is to allow web developers to write dynamically
  generated pages quickly.

This page contains information and links helpful for users and packagers of PHP software in Debian. It also contains any errata for the latest stable release of Debian. It is not meant to supercede documentation provided in the PHP packages, nor is it meant as a general reference for programming in PHP. For those see the Further Information section.

The first place you should go for information

/usr/share/doc/php*. Most notably, README.Debian and NEWS.Debian, just like any other package. Note that if you are visiting this page while following the directions in that file, abort now because you're in an infinite loop :)

How PHP is packaged in Debian

Available versions

Please check the Debian PTS for specific version information.

Release

PHP version

Squeeze 6

5.3.3

Wheezy 7

5.4.45

Jessie 8

5.6.40

Stretch 9

7.0

Buster 10

7.3

Bullseye 11

7.4

unstable

8.0

PHP 4 was provided up to DebianEtch (php 4). It was removed and replaced by php5 in DebianLenny. PHP 7.0 was added in Stretch (php7.0).

Available packages

Up until Debian 8 (Jessie), for every M where M is a php major version, a metapackage phpN exists which will require at least one functioning php server engine installed (i.e. libapache2-mod-php5, php5-cgi, etc).

Since Debian 9 (Stretch), for every M.N where M is a php major version and N is a php minor version, a metapackage php exists which will require a default phpM.N package which will require at least one functioning PHP server engine (i.e. libapache2-mod-php7.0, php7.0-fpm or php7.0-cgi)

Beyond this, there's always:

$ apt search php

...will give you a long list of php related packages. For more specifics on the package naming schemes, you should check the PHP draft policy in Further Information.

Developer access

See PHP/GitUsage.

Configuration layout

Debian Jessie and below

For each major release N of PHP (where N is 4 or 5), each of the 4 SAPI's (apache/apache2/cgi/cli) have a different central configuration file /etc/phpN/$SAPI/php.ini.

Additionally, each SAPI is configured with the compile-time option

        --with-config-file-scan-dir=/etc/phpN/$SAPI/conf.d

Any file found in this directory ending in .ini will be treated as a configuration file by the PHP SAPI.

Debian Stretch and up

For each major.minor release M.N of PHP (where M is 7 and N is 0, 1, ...), each of the SAPI's (apache2/cgi/fpm/cli/phpdbg/...) have a different central configuration file /etc/php/M.N/$SAPI/php.ini

Additionally, each SAPI is configured with the compile-time option

        --with-config-file-scan-dir=/etc/php/M.N/$SAPI/conf.d

Any file found in this directory ending in .ini will be treated as a configuration file by the PHP SAPI.

The environment variable PHP_INI_SCAN_DIR can be set to override the compile-time option.

For packagers of PHP applications/modules/libraries

You should consider taking a look at the PHP draft policy. There's also a mailing list for web applications packagers, debian-webapps@lists.debian.org . While the list is technically for webapp packaging-related issues, you should feel welcome to post purely PHP-packaging-related questions as well, as there is a significant overlap in the audience and you're more likely to get a response from here than from mailing the PHP packagers.

The extensions are expected to install their configuration to /etc/php/M.N/mods-available for each M.N tuple the extension has been compiled with and enable the extension as appropriate using /usr/lib/php/php-maintscript-helper.

The easiest way how to package PECL extension is to use dh-php package and helpers included within this package.

For those interested in helping with PHP in Debian

The first thing you should do is send an email to the Debian PHP maintainer's list, pkg-php-maint@lists.alioth.debian.org. Help is often needed and always appreciated. See also the php group team

Notes on PHP and security

It's highly recommended that you read README.Debian.security in /usr/share/doc/php*.

In short, security support for PHP places a high load on the package maintainers, because of the volume of security-related issues and the difficulty of working with the upstream authors in finding the fixes. As such, PHP security issues are typically triaged with different priorities based on the particulars of the issue.

  • issues involving features that are broken as designed (safe mode, register globals, etc) are completely ignored
  • issues that require a malicious local user (unless there are compelling reasons otherwise) are ignored.
  • issues involving unsafe application usage (applications not filtering input before passing to certain functions) are usually given a low priority or sometimes even ignored in favor of reporting bugs against the offending applications
  • issues involving remote code execution (buffer overflows, code inclusion, etc) are given the highest priority

The Debian PHP maintainers work fairly closely with the Debian security (esp. secure-testing) teams, as well as the Ubuntu PHP maintainers, so you can be generally assured that properly reported bugs tagged as security-relevant will be handled as promptly and transparently as possible.

Errata

Stretch 9 errata

Stretch 9 is now stable. No errata has been logged here for it.

Jessie 8 errata

Jessie 8 is now oldstable. No errata has been logged here for it.

Wheezy 7 errata

Wheezy 7 is now oldoldStable. No errata has been logged here for it.

Notes on Floating Point Rounding

See PHP/Rounding for some discussion of why floating point rounding does not behave as expected.

Further Information


CategoryPermalink CategoryProgramming