[php-maint] Bug#752086: [php5] Please do not request users to read UPGRADING in NEWS.Debian

Filipus Klutiero chealer at gmail.com
Thu Jun 19 14:10:54 UTC 2014 

Package: php5
Version: 5.6.0~beta4+dfsg-4
Severity: wishlist

The 5.6.0~beta4+dfsg-2 changelog entry reads:
>   * Please read full upgrade notes available from
>     /usr/share/doc/php5-common/UPGRADING
>   * Here are the backwards incompatible changes as listed by upstream:
>
>     - Core:
>       By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
>       arrays. Quick example to illustrate:
>       class Test {
>            const FIRST = 1;
>            public $array = array(
>                self::FIRST => 'first',
>                'second',
>                'third'
>            );
>       }
>       Test::$array will have as expected three array keys (1, 2, 3) and no longer
>       two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
>       but will mark the beginning of indexing.
>
>     - JSON:
>       json_decode() no longer accepts non-lowercase variants of lone JSON true,
>       false or null values. For example, True or FALSE will now cause json_decode to
>       return NULL and set an error value you can fetch with json_last_error().
>       This affects JSON texts consisting solely of true, false or null. Text
>       containing non-lowercase values inside JSON arrays or objects has never been
>       accepted.
>
>     - OpenSSL:
>       To prevent man-in-the-middle attacks against encrypted transfers client
>       streams now verify peer certificates by default. Previous versions
>       required users to manually enable peer verification. As a result of this
>       change, existing code using ssl:// or tls:// stream wrappers (e.g.
>       file_get_contents(), fsockopen(), stream_socket_client()) may no longer
>       connect successfully without manually disabling peer verification via the
>       stream context's "verify_peer" setting. Encrypted transfers delegate to
>       operating system certificate stores by default if not overridden via the
>       new openssl.cafile and openssl.cafile ini directives or via call-time SSL
>       context options, so most users should be unaffected by this transparent
>       security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
>
>     - Mcrypt:
>       The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
>       longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
>       required if the used block cipher mode requires it.

We shouldn't request users to read the full upgrade notes for 2 reasons:

 1. We have nothing to gain from users reading that. We should simply inform them for their own good.
 2. Even users usually don't need to read the full upgrade notes. Only a minority of developers want to read the full upgrade notes. Even the backwards-incompatible changes don't need to be read on many systems which only use packaged PHP scripts.


Note that there is no /usr/share/doc/php5-common/UPGRADING
UPGRADING is gzipped.

-- 
Filipus Klutiero
http://www.philippecloutier.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20140619/f51d04ab/attachment.html>

More information about the pkg-php-maint mailing list