[php-maint] Bug#752086: [php5] Please do not request users to read UPGRADING in NEWS.Debian
Filipus Klutiero
chealer at gmail.com
Thu Jun 19 14:10:54 UTC 2014
Package: php5
Version: 5.6.0~beta4+dfsg-4
Severity: wishlist
The 5.6.0~beta4+dfsg-2 changelog entry reads:
> * Please read full upgrade notes available from
> /usr/share/doc/php5-common/UPGRADING
> * Here are the backwards incompatible changes as listed by upstream:
>
> - Core:
> By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
> arrays. Quick example to illustrate:
> class Test {
> const FIRST = 1;
> public $array = array(
> self::FIRST => 'first',
> 'second',
> 'third'
> );
> }
> Test::$array will have as expected three array keys (1, 2, 3) and no longer
> two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
> but will mark the beginning of indexing.
>
> - JSON:
> json_decode() no longer accepts non-lowercase variants of lone JSON true,
> false or null values. For example, True or FALSE will now cause json_decode to
> return NULL and set an error value you can fetch with json_last_error().
> This affects JSON texts consisting solely of true, false or null. Text
> containing non-lowercase values inside JSON arrays or objects has never been
> accepted.
>
> - OpenSSL:
> To prevent man-in-the-middle attacks against encrypted transfers client
> streams now verify peer certificates by default. Previous versions
> required users to manually enable peer verification. As a result of this
> change, existing code using ssl:// or tls:// stream wrappers (e.g.
> file_get_contents(), fsockopen(), stream_socket_client()) may no longer
> connect successfully without manually disabling peer verification via the
> stream context's "verify_peer" setting. Encrypted transfers delegate to
> operating system certificate stores by default if not overridden via the
> new openssl.cafile and openssl.cafile ini directives or via call-time SSL
> context options, so most users should be unaffected by this transparent
> security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
>
> - Mcrypt:
> The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
> longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
> required if the used block cipher mode requires it.
We shouldn't request users to read the full upgrade notes for 2 reasons:
1. We have nothing to gain from users reading that. We should simply inform them for their own good.
2. Even users usually don't need to read the full upgrade notes. Only a minority of developers want to read the full upgrade notes. Even the backwards-incompatible changes don't need to be read on many systems which only use packaged PHP scripts.
Note that there is no /usr/share/doc/php5-common/UPGRADING
UPGRADING is gzipped.
--
Filipus Klutiero
http://www.philippecloutier.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20140619/f51d04ab/attachment.html>
More information about the pkg-php-maint
mailing list