[gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[Christian Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

Heya,

I'm going to p.mask =dev-lang/php-4* and all packages explicitly
depending on this version of php (i.e. the whole dev-php4/ category
(36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1])
next weekend (around Oct 14th). This step is necessary as there is
hardly any upstream activity anymore.

The last official version of php-4, 4.4.7, dates back to May 3rd and is
in the same state as php-5.2.2 security-wise (and we all know how many
issues php-5 had in the past, just have a look at the recently published
GLSA 200710-02 [2]).

All those security problems, which were fixed in the 5.2 branch,
possibly apply to the 4.4 branch as well, yet there are no (backported)
fixes in upstream CVS and there is no sign of an upcoming release
either.
This means, if we were to continue php-4 support we would have to do
the upstream work and compile a list of issues + patches. Upstream
developers seem to see it the same way -- "if you really want to get it
done - do it" was one reply when I asked what's up with php-4. Noone
from our PHP team has the time and motiviation to do that work, and as
such we are going to mask it (unless someone volunteers to do the work
and/or upstream becomes active again).

We will still keep php-4 (and all related packages) in the tree until at
least the end of the year (this is the date where official upstream
"support" ends) and bump it if (and not "when"...) there are any
releases.

We advise all users of of php-4 to upgrade to php-5 as soon as possible.

[1] https://bugs.gentoo.org/show_bug.cgi?id=194894
[2] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml

-- 
Christian Hoffmann
Gentoo PHP herd

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[Marius Mauch]

[-- Attachment #1: Type: text/plain, Size: 837 bytes --]

On Sun, 7 Oct 2007 15:13:49 +0200
Christian Hoffmann <hoffie@gentoo.org> wrote:

> Heya,
> 
> I'm going to p.mask =dev-lang/php-4* and all packages explicitly
> depending on this version of php (i.e. the whole dev-php4/ category
> (36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1])
> next weekend (around Oct 14th). This step is necessary as there is
> hardly any upstream activity anymore.

You should probably post that in a more user-oriented channel, like
gentoo-announce and/or the forums to reduce the number of "surprised"
users [1]

Marius

[1] http://forums.gentoo.org/viewtopic-t-597017.html

-- 
Public Key at http://www.genone.de/info/gpg-key.pub

In the beginning, there was nothing. And God said, 'Let there be
Light.' And there was still nothing, but you could see a bit better.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[Josh Saddler]

[-- Attachment #1: Type: text/plain, Size: 2228 bytes --]

Christian Hoffmann wrote:
> Heya,
> 
> I'm going to p.mask =dev-lang/php-4* and all packages explicitly
> depending on this version of php (i.e. the whole dev-php4/ category
> (36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1])
> next weekend (around Oct 14th). This step is necessary as there is
> hardly any upstream activity anymore.
> 
> The last official version of php-4, 4.4.7, dates back to May 3rd and is
> in the same state as php-5.2.2 security-wise (and we all know how many
> issues php-5 had in the past, just have a look at the recently published
> GLSA 200710-02 [2]).
> 
> All those security problems, which were fixed in the 5.2 branch,
> possibly apply to the 4.4 branch as well, yet there are no (backported)
> fixes in upstream CVS and there is no sign of an upcoming release
> either.
> This means, if we were to continue php-4 support we would have to do
> the upstream work and compile a list of issues + patches. Upstream
> developers seem to see it the same way -- "if you really want to get it
> done - do it" was one reply when I asked what's up with php-4. Noone
> from our PHP team has the time and motiviation to do that work, and as
> such we are going to mask it (unless someone volunteers to do the work
> and/or upstream becomes active again).
> 
> We will still keep php-4 (and all related packages) in the tree until at
> least the end of the year (this is the date where official upstream
> "support" ends) and bump it if (and not "when"...) there are any
> releases.
> 
> We advise all users of of php-4 to upgrade to php-5 as soon as possible.
> 
> [1] https://bugs.gentoo.org/show_bug.cgi?id=194894
> [2] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml

Since you're doing the masking, can you please help out the GDP by
reviewing a few of our documents for any potential changes that must be
made? Grepping for "php4" shows that there are references in the
following docs:

1. http://www.gentoo.org/doc/en/jffnms.xml
2. http://www.gentoo.org/doc/en/apache-troubleshooting.xml
3. http://www.gentoo.org/doc/en/qmail-howto.xml
4. http://www.gentoo.org/doc/en/handbook/hb-working-rcscripts.xml


Thanks,

Josh


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

[gentoo-dev] Re: Upcoming masking of dev-lang/php-4* and packages depending on it

[Christian Faulhammer]

[-- Attachment #1: Type: text/plain, Size: 855 bytes --]

Marius Mauch <genone@gentoo.org>:

> On Sun, 7 Oct 2007 15:13:49 +0200
> Christian Hoffmann <hoffie@gentoo.org> wrote:
> > I'm going to p.mask =dev-lang/php-4* and all packages explicitly
> > depending on this version of php (i.e. the whole dev-php4/ category
> > (36 packages) and one webapp, www-apps/knowledgetree, bug 194894
> > [1]) next weekend (around Oct 14th). This step is necessary as
> > there is hardly any upstream activity anymore.
> You should probably post that in a more user-oriented channel, like
> gentoo-announce and/or the forums to reduce the number of "surprised"
> users [1]

 Or even write a short summary for the GWN...they would be happy about
it.

V-Li

-- 
Christian Faulhammer, Gentoo Lisp project
<URL:http://www.gentoo.org/proj/en/lisp/>, #gentoo-lisp on FreeNode

<URL:http://www.faulhammer.org/>

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Re: Upcoming masking of dev-lang/php-4* and packages depending on it

[Christian Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 1193 bytes --]

On 2007-10-11 at 07:58 +0200, Christian Faulhammer wrote:

> Marius Mauch <genone@gentoo.org>:
> 
> > On Sun, 7 Oct 2007 15:13:49 +0200
> > Christian Hoffmann <hoffie@gentoo.org> wrote:
> > > I'm going to p.mask =dev-lang/php-4* and all packages explicitly
> > > depending on this version of php (i.e. the whole dev-php4/
> > > category (36 packages) and one webapp, www-apps/knowledgetree,
> > > bug 194894 [1]) next weekend (around Oct 14th). This step is
> > > necessary as there is hardly any upstream activity anymore.
> > You should probably post that in a more user-oriented channel, like
> > gentoo-announce and/or the forums to reduce the number of
> > "surprised" users [1]
Ok, haven't seen the thread, but it's probably a very good idea to
post something to -announce / forums anyway. I'll do that later today.

We'll also move the date of masking to Oct 18th, so that the wider
userbase has one full week time to "prepare" for the masking as well. :)


>  Or even write a short summary for the GWN...they would be happy about
> it.
I already submitted something on the same day I sent the
-dev{,-announce} mail.

-- 
Christian Hoffmann
Gentoo PHP herd

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[Christian Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 1856 bytes --]

On 2007-10-10 at 22:44 -0700, Josh Saddler wrote:

> Since you're doing the masking, can you please help out the GDP by
> reviewing a few of our documents for any potential changes that must
> be made? Grepping for "php4" shows that there are references in the
> following docs:

The occurences of -D PHP4 in all 4 documents can safely be replaced by
-D PHP5, syntactically (assuming the software in question works with
php-5 as well, but the ebuilds do not depend on =php-4* explictily, so
I guess it's the case here).

Additionally:

> 1. http://www.gentoo.org/doc/en/jffnms.xml
sed s:apache2-php4:apache2-php5:g
sed s:/usr/share/php4:/usr/share/php5:
I'm not sure about the last sentence on the page:
> You may also run into problems when configuring Apache to work with
> PHP (specially if you run both PHP4 and PHP5 on the same system). In
> that case, our Configuring Apache to Work with PHP4 and PHP5 guide
> may give you some help."
Maybe removing it completely would be best?

> 2. http://www.gentoo.org/doc/en/apache-troubleshooting.xml
This is outdated regarding php anyway:
> $ equery depends www-servers/apache
> [ Searching for packages depending on www-servers/apache... ]
> dev-php/phpsysinfo-2.3-r2
> dev-php/phpsysinfo-2.1-r2
> dev-php/mod_php-4.3.11-r2
^^ should be dev-lang/php-5.2.4_p20070914-r2
> net-www/mod_layout-4.0.1a-r1
> www-servers/gorg-0.5
> 
> (then rebuild any modules you have installed)
> # emerge -av '=dev-php/mod_php-4.3.11-r2'
^^ same here, must be '=dev-lang/php-5.2.4_p20070914-r2' (is it really
useful to specify full versions here?)
> '=net-www/mod_layout-4.0.1.a-r1'


I know that the PHP documentation itself needs a lot of updates, too,
(not only regarding masking of php-4) and I'll try to work on it in the
next weeks.

-- 
Christian Hoffmann
Gentoo PHP herd

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[Josh Saddler]

[-- Attachment #1: Type: text/plain, Size: 1967 bytes --]

Christian Hoffmann wrote:
> On 2007-10-10 at 22:44 -0700, Josh Saddler wrote:
> 
>> Since you're doing the masking, can you please help out the GDP by
>> reviewing a few of our documents for any potential changes that must
>> be made? Grepping for "php4" shows that there are references in the
>> following docs:
> 
> The occurences of -D PHP4 in all 4 documents can safely be replaced by
> -D PHP5, syntactically (assuming the software in question works with
> php-5 as well, but the ebuilds do not depend on =php-4* explictily, so
> I guess it's the case here).
> 
> Additionally:
> 
>> 1. http://www.gentoo.org/doc/en/jffnms.xml
> sed s:apache2-php4:apache2-php5:g
> sed s:/usr/share/php4:/usr/share/php5:
> I'm not sure about the last sentence on the page:
>> You may also run into problems when configuring Apache to work with
>> PHP (specially if you run both PHP4 and PHP5 on the same system). In
>> that case, our Configuring Apache to Work with PHP4 and PHP5 guide
>> may give you some help."
> Maybe removing it completely would be best?
> 
>> 2. http://www.gentoo.org/doc/en/apache-troubleshooting.xml
> This is outdated regarding php anyway:
>> $ equery depends www-servers/apache
>> [ Searching for packages depending on www-servers/apache... ]
>> dev-php/phpsysinfo-2.3-r2
>> dev-php/phpsysinfo-2.1-r2
>> dev-php/mod_php-4.3.11-r2
> ^^ should be dev-lang/php-5.2.4_p20070914-r2
>> net-www/mod_layout-4.0.1a-r1
>> www-servers/gorg-0.5
>>
>> (then rebuild any modules you have installed)
>> # emerge -av '=dev-php/mod_php-4.3.11-r2'
> ^^ same here, must be '=dev-lang/php-5.2.4_p20070914-r2' (is it really
> useful to specify full versions here?)
>> '=net-www/mod_layout-4.0.1.a-r1'
> 
> 
> I know that the PHP documentation itself needs a lot of updates, too,
> (not only regarding masking of php-4) and I'll try to work on it in the
> next weeks.

Thanks for the fixes; I'll get busy committing them.



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it

[Josh Saddler]

[-- Attachment #1: Type: text/plain, Size: 2047 bytes --]

Josh Saddler wrote:
> Christian Hoffmann wrote:
>> On 2007-10-10 at 22:44 -0700, Josh Saddler wrote:
>>
>>> Since you're doing the masking, can you please help out the GDP by
>>> reviewing a few of our documents for any potential changes that must
>>> be made? Grepping for "php4" shows that there are references in the
>>> following docs:
>> The occurences of -D PHP4 in all 4 documents can safely be replaced by
>> -D PHP5, syntactically (assuming the software in question works with
>> php-5 as well, but the ebuilds do not depend on =php-4* explictily, so
>> I guess it's the case here).
>>
>> Additionally:
>>
>>> 1. http://www.gentoo.org/doc/en/jffnms.xml
>> sed s:apache2-php4:apache2-php5:g
>> sed s:/usr/share/php4:/usr/share/php5:
>> I'm not sure about the last sentence on the page:
>>> You may also run into problems when configuring Apache to work with
>>> PHP (specially if you run both PHP4 and PHP5 on the same system). In
>>> that case, our Configuring Apache to Work with PHP4 and PHP5 guide
>>> may give you some help."
>> Maybe removing it completely would be best?
>>
>>> 2. http://www.gentoo.org/doc/en/apache-troubleshooting.xml
>> This is outdated regarding php anyway:
>>> $ equery depends www-servers/apache
>>> [ Searching for packages depending on www-servers/apache... ]
>>> dev-php/phpsysinfo-2.3-r2
>>> dev-php/phpsysinfo-2.1-r2
>>> dev-php/mod_php-4.3.11-r2
>> ^^ should be dev-lang/php-5.2.4_p20070914-r2
>>> net-www/mod_layout-4.0.1a-r1
>>> www-servers/gorg-0.5
>>>
>>> (then rebuild any modules you have installed)
>>> # emerge -av '=dev-php/mod_php-4.3.11-r2'
>> ^^ same here, must be '=dev-lang/php-5.2.4_p20070914-r2' (is it really
>> useful to specify full versions here?)
>>> '=net-www/mod_layout-4.0.1.a-r1'
>>
>> I know that the PHP documentation itself needs a lot of updates, too,
>> (not only regarding masking of php-4) and I'll try to work on it in the
>> next weeks.
> 
> Thanks for the fixes; I'll get busy committing them.

. . . fixed in CVS!



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]