[php-maint] Bug#696470: php5-suhosin: php5-common make php5-suhosin defective

Ondřej Surý ondrej at debian.org
Tue Jun 4 13:01:09 UTC 2013

On Tue, Jun 4, 2013 at 2:41 PM, Jan Wagner <waja at cyconet.org> wrote:

> Hash: SHA1
> Hi Ondřej,
> thanks for your reply.
> Am 04.06.2013 13:59, schrieb Ondřej Surý:
> > On Tue, Jun 4, 2013 at 1:31 PM, Jan Wagner <waja at cyconet.org
> > <mailto:waja at cyconet.org>> wrote: as this Break is unversioned, how
> > is the plan to get a (maybe in the future) compatible php5-suhosin
> > installed beside php5-common?
> >
> > There's no plan since there's no suhosin.
> Oh Ondřej, come on! This was not a question about the actual suhosin
> status, but about the PHP packages.

When there's some activity on the upstream part, we can create a plan.  The
last commit in suhosin repository on github was more than _a year_ ago. So,
you are trying to create plan for non-existent software.

> With the actual PHP packages, it is not possible to install a package
> named "php5-suhosin". Do you want to tell me, the PHP Maintainers
> didn't consider that php5-suhosin maybe come back?

Yes, I don't think the php5-suhosin will ever come back. And even if it did
I don't plan re-adding suhosin patch to php5 sources.

> Even if this problen can be solved for jessie and sid, what whould
> > be the best way to provide a php5-suhosin package for wheezy (for
> > example maybe via backports)?
> >
> > You won't be able to use backports due PHP 5.5 in sid.
> Maybe I'm dumb, but I actually don't see a problem, if there occure a
> new suhosin upstream release, which maybe compatible with PHP 5.5 and
> 5.4. Did I oversee anything?

Maybe this could work, but you won't be able to test it with PHP 5.4 before
you will upload to backports, which is not very QA-wise.

> > If there's a new stable suhosin, we can always release new php 5.4
> > via pu, but I think that it's not worth the trouble for wheezy.
> - From my experiences with pu, this will likely rare happen til not.

Not true, there's already php5 accepted in pu.

> Anyways this will add a big expense and even shifts a system where
> php5-common and php5-suhosin can be installed along far in the future.
> > Users can always use unpackaged extension with php5-dev.
> Which unfortunately doesn't scale in larger setups.

Suhosin upstream is unrealiable with releases and promises[*]. And we
didn't have a correct version number at hand when we have released wheezy.
If you had given me the correct version number which will support PHP 5.4
(confirmed by upstream), I would have changed the Breaks to be versioned.

* - My understanding is that he just lost interest in PHP (-suhosin) and
have moved on to some other projects (dayjob).

Ondřej Surý <ondrej at sury.org>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20130604/b95601cf/attachment.html>

More information about the pkg-php-maint mailing list