Debian Bug report logs - #668053
[php5-common] php.ini-production does not actually have production values

Package: php5-common; Maintainer for php5-common is (unknown);

Reported by: Filipus Klutiero <chealer@gmail.com>

Date: Sun, 8 Apr 2012 16:00:01 UTC

Severity: wishlist

Tags: wontfix

Done: OndÅej SurÃ½ <ondrej@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#668053; Package php5-common. (Sun, 08 Apr 2012 16:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 08 Apr 2012 16:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Package: php5-common
Version: 5.4.1~rc1-1
Severity: normal

/usr/share/php5/php.ini-production contains:

> ; This directive determines whether or not PHP will recognize code between
> ; <? and ?> tags as PHP source which should be processed as such. It's 
> been
> ; recommended for several years that you not use the short tag "short 
> cut" and
> ; instead to use the full <?php and ?> tag combination. With the wide 
> spread use
> ; of XML and use of these tags by other languages, the server can 
> become easily
> ; confused and end up parsing the wrong code in the wrong context. But 
> because
> ; this short cut has been a feature for such a long time, it's 
> currently still
> ; supported for backwards compatibility, but we recommend you don't 
> use them.
> ; Default Value: On
> ; Development Value: Off
> ; Production Value: Off
> ; http://php.net/short-open-tag
> short_open_tag = On

The actual value isn't the production value. The actual value also 
differs from upstream's:

> ; This directive determines whether or not PHP will recognize code between
> ;<? and ?>  tags as PHP source which should be processed as such. It's been
> ; recommended for several years that you not use the short tag "short cut" and
> ; instead to use the full<?php and ?>  tag combination. With the wide spread use
> ; of XML and use of these tags by other languages, the server can become easily
> ; confused and end up parsing the wrong code in the wrong context. But because
> ; this short cut has been a feature for such a long time, it's currently still
> ; supported for backwards compatibility, but we recommend you don't use them.
> ; Default Value: On
> ; Development Value: Off
> ; Production Value: Off
> ; http://php.net/short-open-tag
> short_open_tag = Off

http://git.php.net/?p=php-src.git;a=blob_plain;f=php.ini-production;h=ee830c3692d34d7b9683527a55ae218b5a9a9207;hb=refs/heads/PHP-5.4

This is just an example.

Reply sent to OndÅej SurÃ½ <ondrej@debian.org>:
You have taken responsibility. (Sun, 08 Apr 2012 16:27:24 GMT) (full text, mbox, link).

Notification sent to Filipus Klutiero <chealer@gmail.com>:
Bug acknowledged by developer. (Sun, 08 Apr 2012 16:27:24 GMT) (full text, mbox, link).

Message #10 received at 668053-done@bugs.debian.org (full text, mbox, reply):

Version: 5.4.1~rc1-1

On Sun, Apr 8, 2012 at 17:56, Filipus Klutiero <chealer@gmail.com> wrote:
> The actual value isn't the production value.

That's an opinion, not a bug report.

> The actual value also differs from upstream's:

So what? We patch PHP in Debian in various ways. If you want vanilla
PHP, you install PHP from upstream.

Closing the bug.

O.
-- 
Ondřej Surý <ondrej@sury.org>

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#668053; Package php5-common. (Sun, 08 Apr 2012 16:39:03 GMT) (full text, mbox, link).

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 08 Apr 2012 16:39:03 GMT) (full text, mbox, link).

Message #15 received at 668053@bugs.debian.org (full text, mbox, reply):

reopen 668053
thanks

Hi OndÅej,

On 2012-04-08 12:23, OndÅej SurÃ½ wrote:
> Version: 5.4.1~rc1-1
>
> On Sun, Apr 8, 2012 at 17:56, Filipus Klutiero<chealer@gmail.com>  wrote:
>> The actual value isn't the production value.
> That's an opinion, not a bug report.

That's not an opinion, that's a bug. Compare
> ; Production Value: Off
with
> short_open_tag = On
Off != On

>> The actual value also differs from upstream's:
> So what?

So this is not an upstream issue. The issue appears to be with the 
actual value.

Message #16 received at 668053-done@bugs.debian.org (full text, mbox, reply):

As I said, we patch the PHP in other various ways (there's 58 patches
in total). If you want vanilla, get a vanilla. There is no bug here.

O.

On Sun, Apr 8, 2012 at 18:36, Filipus Klutiero <chealer@gmail.com> wrote:
> reopen 668053
> thanks
>
> Hi OndÅ™ej,
>
> On 2012-04-08 12:23, OndÅ™ej SurÃ½ wrote:
>>
>> Version: 5.4.1~rc1-1
>>
>> On Sun, Apr 8, 2012 at 17:56, Filipus Klutiero<chealer@gmail.com>  wrote:
>>>
>>> The actual value isn't the production value.
>>
>> That's an opinion, not a bug report.
>
>
> That's not an opinion, that's a bug. Compare
>>
>> ; Production Value: Off
>
> with
>>
>> short_open_tag = On
>
> Off != On
>
>>> The actual value also differs from upstream's:
>>
>> So what?
>
>
> So this is not an upstream issue. The issue appears to be with the actual
> value.
>
>
>
> _______________________________________________
> pkg-php-maint mailing list
> pkg-php-maint@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint



-- 
Ondřej Surý <ondrej@sury.org>

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Sun, 08 Apr 2012 17:09:09 GMT) (full text, mbox, link).

Message #21 received at 668053@bugs.debian.org (full text, mbox, reply):

On Sun, April 8, 2012 18:36, Filipus Klutiero wrote:
> That's not an opinion, that's a bug. Compare
>> ; Production Value: Off
> with
>> short_open_tag = On
> Off != On

I think what confuses you is that the comments in the php.ini indicate
what upstream considers production values, while what we ship is different
from that because we do not think that short_open_tag necessarily needs to
be off for environments considered 'production'.

Cheers,
Thijs

Message #26 received at 668053@bugs.debian.org (full text, mbox, reply):

On 2012-04-08 13:07, Thijs Kinkhorst wrote:
> On Sun, April 8, 2012 18:36, Filipus Klutiero wrote:
>> That's not an opinion, that's a bug. Compare
>>> ; Production Value: Off
>> with
>>> short_open_tag = On
>> Off != On
> I think what confuses you is that the comments in the php.ini indicate
> what upstream considers production values, while what we ship is different
> from that because we do not think that short_open_tag necessarily needs to
> be off for environments considered 'production'.
>

That looks like it. debian/rules "sanitizes" php.ini files:

> 	# sanitize php.ini file
> 	cat php.ini-production | tr "\t" " " | sed -e'/short_open_tag =/ s/Off/On/g;/session.gc_probability =/ s/1/0/g;/disable_functions =/ s/$$/ $(PCNTL_FUNCTIONS)/g;'>  debian/php5-common/usr/share/php5/php.ini-production
> 	cat php.ini-production | tr "\t" " " | sed -e'/memory_limit =/ s/128M/-1/g;/short_open_tag =/ s/Off/On/g;/session.gc_probability =/ s/1/0/g'>  debian/php5-common/usr/share/php5/php.ini-production.cli
> 	cat php.ini-development | tr "\t" " " | sed -e'/short_open_tag =/ s/Off/On/g;/session.gc_probability =/ s/1/0/g;/disable_functions =/ s/$$/ $(PCNTL_FUNCTIONS)/g;'>  debian/php5-common/usr/share/php5/php.ini-development

So it looks like we're changing the value of 3-4 default settings from 
the upstream value, but we're not updating the corresponding documentation.

By the way, regarding short_open_tag, according to php.ini 
"php.ini-production contains settings which hold security, performance 
and best practices at its core."

and:
> This directive determines whether or not PHP will recognize code between
> ; <? and ?> tags as PHP source which should be processed as such. It's 
> been
> ; recommended for several years that you not use the short tag "short 
> cut" and
> ; instead to use the full <?php and ?> tag combination. With the wide 
> spread use
> ; of XML and use of these tags by other languages, the server can 
> become easily
> ; confused and end up parsing the wrong code in the wrong context. But 
> because
> ; this short cut has been a feature for such a long time, it's 
> currently still
> ; supported for backwards compatibility, but we recommend you don't 
> use them.

So I don't think short_open_tag should be enabled in php.ini-production.

Message #31 received at 668053@bugs.debian.org (full text, mbox, reply):

First, this is not a support forum. I'm reporting a bug, not asking to 
provide me generous support.
Anyway, the problem isn't the specific value taken by short_open_tag or 
any other problematic setting, or whether it diverges from upstream. The 
problem is the contradiction between the comments and the values 
actually set. You can change the values actually set or change the 
documentation, as long as it's consistent. Sorry if the summary's 
phrasing suggested otherwise, that wasn't intended.

On 2012-04-08 12:50, OndÅej SurÃ½ wrote:
> As I said, we patch the PHP in other various ways (there's 58 patches
> in total). If you want vanilla, get a vanilla. There is no bug here.
>
> O.
>
> On Sun, Apr 8, 2012 at 18:36, Filipus Klutiero<chealer@gmail.com>  wrote:
>> reopen 668053
>> thanks
>>
>> Hi OndÃâ¢ej,
>>
>> On 2012-04-08 12:23, OndÃâ¢ej SurÃÂ½ wrote:
>>> Version: 5.4.1~rc1-1
>>>
>>> On Sun, Apr 8, 2012 at 17:56, Filipus Klutiero<chealer@gmail.com>    wrote:
>>>> The actual value isn't the production value.
>>> That's an opinion, not a bug report.
>>
>> That's not an opinion, that's a bug. Compare
>>> ; Production Value: Off
>> with
>>> short_open_tag = On
>> Off != On
>>
>>>> The actual value also differs from upstream's:
>>> So what?
>>
>> So this is not an upstream issue. The issue appears to be with the actual
>> value.
>>

Message #36 received at 668053@bugs.debian.org (full text, mbox, reply):

On Sun, April 8, 2012 22:18, Filipus Klutiero wrote:
> On 2012-04-08 13:07, Thijs Kinkhorst wrote:
>> On Sun, April 8, 2012 18:36, Filipus Klutiero wrote:
>>> That's not an opinion, that's a bug. Compare
>>>> ; Production Value: Off
>>> with
>>>> short_open_tag = On
>>> Off != On
>> I think what confuses you is that the comments in the php.ini indicate
>> what upstream considers production values, while what we ship is
>> different
>> from that because we do not think that short_open_tag necessarily needs
>> to
>> be off for environments considered 'production'.
>>
>
> That looks like it. debian/rules "sanitizes" php.ini files:
>
>> 	# sanitize php.ini file
>> 	cat php.ini-production | tr "\t" " " | sed -e'/short_open_tag =/
>> s/Off/On/g;/session.gc_probability =/ s/1/0/g;/disable_functions =/
>> s/$$/ $(PCNTL_FUNCTIONS)/g;'>
>> debian/php5-common/usr/share/php5/php.ini-production
>> 	cat php.ini-production | tr "\t" " " | sed -e'/memory_limit =/
>> s/128M/-1/g;/short_open_tag =/ s/Off/On/g;/session.gc_probability =/
>> s/1/0/g'>  debian/php5-common/usr/share/php5/php.ini-production.cli
>> 	cat php.ini-development | tr "\t" " " | sed -e'/short_open_tag =/
>> s/Off/On/g;/session.gc_probability =/ s/1/0/g;/disable_functions =/
>> s/$$/ $(PCNTL_FUNCTIONS)/g;'>
>> debian/php5-common/usr/share/php5/php.ini-development
>
> So it looks like we're changing the value of 3-4 default settings from
> the upstream value, but we're not updating the corresponding
> documentation.

I disagree. The comments contain advice by PHP upstream on what to do. We
supply this advice to the user, but at some points set other defaults.
That does not mean that the advice is necessarily wrong. See below for
explanation in this specific case.

> By the way, regarding short_open_tag, according to php.ini
> "php.ini-production contains settings which hold security, performance
> and best practices at its core."

I don't think anyone disagrees with those goals.

> and:
>> This directive determines whether or not PHP will recognize code between
>> ; <? and ?> tags as PHP source which should be processed as such. It's
>> been
>> ; recommended for several years that you not use the short tag "short
>> cut" and
>> ; instead to use the full <?php and ?> tag combination. With the wide
>> spread use
>> ; of XML and use of these tags by other languages, the server can
>> become easily
>> ; confused and end up parsing the wrong code in the wrong context. But
>> because
>> ; this short cut has been a feature for such a long time, it's
>> currently still
>> ; supported for backwards compatibility, but we recommend you don't
>> use them.
>
> So I don't think short_open_tag should be enabled in php.ini-production.

We're obviously well aware of these considerations by upstream. While the
principle is true that having short_open_tag Off is better, as with
everything there's a tradeoff involved. If you're starting an entirely
blank project from scratch, you really shoudl work only with the setting
off. However, the world is not perfect and there are uncountable amounts
of scripts out there that rely on this feature. We have to balance
breaking all this software against the benefits. Although the benefits as
they are described are real, they're not of extremely high importance.
This makes this case different from e.g. register_globals, where there's
also a large installed base of software relying on it, but the drawbacks
of that function are much much larger than that of short_open_tag, which
are relatively minor.

So the choices are 'ideal production setup' v.s. 'generally workable
defaults without too many adverse effects'.

Cheers,
Thijs

Information forwarded to debian-bugs-dist@lists.debian.org, Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>:
Bug#668053; Package php5-common. (Mon, 09 Apr 2012 19:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Filipus Klutiero <chealer@gmail.com>:
Extra info received and forwarded to list. Copy sent to Debian PHP Maintainers <pkg-php-maint@lists.alioth.debian.org>. (Mon, 09 Apr 2012 19:27:05 GMT) (full text, mbox, link).

Message #41 received at 668053@bugs.debian.org (full text, mbox, reply):

On 2012-04-08 16:37, Thijs Kinkhorst wrote:
> On Sun, April 8, 2012 22:18, Filipus Klutiero wrote:
>> On 2012-04-08 13:07, Thijs Kinkhorst wrote:
>>> On Sun, April 8, 2012 18:36, Filipus Klutiero wrote:
>>>> That's not an opinion, that's a bug. Compare
>>>>> ; Production Value: Off
>>>> with
>>>>> short_open_tag = On
>>>> Off != On
>>> I think what confuses you is that the comments in the php.ini indicate
>>> what upstream considers production values, while what we ship is
>>> different
>>> from that because we do not think that short_open_tag necessarily needs
>>> to
>>> be off for environments considered 'production'.
>>>
>> That looks like it. debian/rules "sanitizes" php.ini files:
>>
>>> 	# sanitize php.ini file
>>> 	cat php.ini-production | tr "\t" " " | sed -e'/short_open_tag =/
>>> s/Off/On/g;/session.gc_probability =/ s/1/0/g;/disable_functions =/
>>> s/$$/ $(PCNTL_FUNCTIONS)/g;'>
>>> debian/php5-common/usr/share/php5/php.ini-production
>>> 	cat php.ini-production | tr "\t" " " | sed -e'/memory_limit =/
>>> s/128M/-1/g;/short_open_tag =/ s/Off/On/g;/session.gc_probability =/
>>> s/1/0/g'>   debian/php5-common/usr/share/php5/php.ini-production.cli
>>> 	cat php.ini-development | tr "\t" " " | sed -e'/short_open_tag =/
>>> s/Off/On/g;/session.gc_probability =/ s/1/0/g;/disable_functions =/
>>> s/$$/ $(PCNTL_FUNCTIONS)/g;'>
>>> debian/php5-common/usr/share/php5/php.ini-development
>> So it looks like we're changing the value of 3-4 default settings from
>> the upstream value, but we're not updating the corresponding
>> documentation.
> I disagree. The comments contain advice by PHP upstream on what to do. We
> supply this advice to the user, but at some points set other defaults.
> That does not mean that the advice is necessarily wrong.

Right, I'm not saying any default value/advice is wrong. I'm just saying 
the values disagree. For example, php.ini-production says in its 
comments that the recommended production value of short_open_tag is Off. 
But it actually recommends On.

>
>> By the way, regarding short_open_tag, according to php.ini
>> "php.ini-production contains settings which hold security, performance
>> and best practices at its core."
> I don't think anyone disagrees with those goals.
>
>> and:
>>> This directive determines whether or not PHP will recognize code between
>>> ;<? and ?>  tags as PHP source which should be processed as such. It's
>>> been
>>> ; recommended for several years that you not use the short tag "short
>>> cut" and
>>> ; instead to use the full<?php and ?>  tag combination. With the wide
>>> spread use
>>> ; of XML and use of these tags by other languages, the server can
>>> become easily
>>> ; confused and end up parsing the wrong code in the wrong context. But
>>> because
>>> ; this short cut has been a feature for such a long time, it's
>>> currently still
>>> ; supported for backwards compatibility, but we recommend you don't
>>> use them.
>> So I don't think short_open_tag should be enabled in php.ini-production.
> We're obviously well aware of these considerations by upstream. While the
> principle is true that having short_open_tag Off is better, as with
> everything there's a tradeoff involved. If you're starting an entirely
> blank project from scratch, you really shoudl work only with the setting
> off. However, the world is not perfect and there are uncountable amounts
> of scripts out there that rely on this feature. We have to balance
> breaking all this software against the benefits. Although the benefits as
> they are described are real, they're not of extremely high importance.
> This makes this case different from e.g. register_globals, where there's
> also a large installed base of software relying on it, but the drawbacks
> of that function are much much larger than that of short_open_tag, which
> are relatively minor.
>
> So the choices are 'ideal production setup' v.s. 'generally workable
> defaults without too many adverse effects'.

Yes. We're discussing php.ini-production here, not the default php.ini.

Severity set to 'wishlist' from 'normal' Request was from OndÅej SurÃ½ <ondrej@debian.org> to control@bugs.debian.org. (Tue, 10 Apr 2012 06:12:11 GMT) (full text, mbox, link).

Added tag(s) wontfix. Request was from OndÅej SurÃ½ <ondrej@debian.org> to control@bugs.debian.org. (Tue, 10 Apr 2012 06:12:12 GMT) (full text, mbox, link).

No longer marked as fixed in versions 5.4.1~rc1-1. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Tue, 12 Mar 2013 13:39:06 GMT) (full text, mbox, link).

No longer marked as found in versions php5/5.4.1~rc1-1. Request was from Ondřej Surý <ondrej@debian.org> to control@bugs.debian.org. (Tue, 12 Mar 2013 13:39:07 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 10 Apr 2013 07:27:06 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 01:31:03 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #668053 [php5-common] php.ini-production does not actually have production values

Debian Bug report logs - #668053
[php5-common] php.ini-production does not actually have production values