Debian Bug report logs - #752086
[php5] Please do not request users to read UPGRADING in NEWS.Debian

[Message part 1 (text/plain, inline)]
Package: php5
Version: 5.6.0~beta4+dfsg-4
Severity: wishlist

The 5.6.0~beta4+dfsg-2 changelog entry reads:
>   * Please read full upgrade notes available from
>     /usr/share/doc/php5-common/UPGRADING
>   * Here are the backwards incompatible changes as listed by upstream:
>
>     - Core:
>       By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
>       arrays. Quick example to illustrate:
>       class Test {
>            const FIRST = 1;
>            public $array = array(
>                self::FIRST => 'first',
>                'second',
>                'third'
>            );
>       }
>       Test::$array will have as expected three array keys (1, 2, 3) and no longer
>       two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
>       but will mark the beginning of indexing.
>
>     - JSON:
>       json_decode() no longer accepts non-lowercase variants of lone JSON true,
>       false or null values. For example, True or FALSE will now cause json_decode to
>       return NULL and set an error value you can fetch with json_last_error().
>       This affects JSON texts consisting solely of true, false or null. Text
>       containing non-lowercase values inside JSON arrays or objects has never been
>       accepted.
>
>     - OpenSSL:
>       To prevent man-in-the-middle attacks against encrypted transfers client
>       streams now verify peer certificates by default. Previous versions
>       required users to manually enable peer verification. As a result of this
>       change, existing code using ssl:// or tls:// stream wrappers (e.g.
>       file_get_contents(), fsockopen(), stream_socket_client()) may no longer
>       connect successfully without manually disabling peer verification via the
>       stream context's "verify_peer" setting. Encrypted transfers delegate to
>       operating system certificate stores by default if not overridden via the
>       new openssl.cafile and openssl.cafile ini directives or via call-time SSL
>       context options, so most users should be unaffected by this transparent
>       security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
>
>     - Mcrypt:
>       The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
>       longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
>       required if the used block cipher mode requires it.

We shouldn't request users to read the full upgrade notes for 2 reasons:

1. We have nothing to gain from users reading that. We should simply inform them for their own good.
2. Even users usually don't need to read the full upgrade notes. Only a minority of developers want to read the full upgrade notes. Even the backwards-incompatible changes don't need to be read on many systems which only use packaged PHP scripts.

Note that there is no /usr/share/doc/php5-common/UPGRADING
UPGRADING is gzipped.

-- 
Filipus Klutiero
http://www.philippecloutier.com

[Message part 2 (text/html, inline)]
On Thu, June 19, 2014 16:10, Filipus Klutiero wrote:
> Package: php5
> Version: 5.6.0~beta4+dfsg-4
> Severity: wishlist
>
> The 5.6.0~beta4+dfsg-2 changelog entry reads:

> We shouldn't request users to read the full upgrade notes for 2 reasons:
>
>  1. We have nothing to gain from users reading that. We should simply
> inform them for their own good.

So we have nothing to gain from users reading upgrade notes but we should
simply inform them? This is an internal contradiction: we shouldn't have
users read upgrade nodes but they should know about upgrade issues. Right.

>  2. Even users usually don't need to read the full upgrade notes. Only a
> minority of developers want to read the full upgrade notes. Even the
> backwards-incompatible changes don't need to be read on many systems
> which only use packaged PHP scripts.

I'm fairly certain from experience that the vast majority of users are
running non-packaged PHP on their systems, which is a completely normal
use case. They should be informed of the changes in PHP versions.

I see no issue here.

Cheers,
Thijs

[Message part 1 (text/plain, inline)]
Version: 5.6.0~beta4+dfsg-5
# or some other future version...

For god sake, could you send a patch with proposed changes next time
instead of filling bug reports for such minor stuff?

O.

On Thu, Jun 19, 2014, at 16:10, Filipus Klutiero wrote:

Package: php5

Version: 5.6.0~beta4+dfsg-4

Severity: wishlist

The 5.6.0~beta4+dfsg-2 changelog entry reads:

  * Please read full upgrade notes available from

    /usr/share/doc/php5-common/UPGRADING

  * Here are the backwards incompatible changes as listed by upstream:

    - Core:

      By fixing bug #66015 it is no longer possible to overwrite keys
in static scalar

      arrays. Quick example to illustrate:

      class Test {

           const FIRST = 1;

           public $array = array(

               self::FIRST => 'first',

               'second',

               'third'

           );

      }

      Test::$array will have as expected three array keys (1, 2, 3) and
no longer

      two (0, 1). self::FIRST will no longer overwrite 'third' having
key 1 then,

      but will mark the beginning of indexing.

    - JSON:

      json_decode() no longer accepts non-lowercase variants of lone
JSON true,

      false or null values. For example, True or FALSE will now cause
json_decode to

      return NULL and set an error value you can fetch with
json_last_error().

      This affects JSON texts consisting solely of true, false or null.
Text

      containing non-lowercase values inside JSON arrays or objects has
never been

      accepted.

    - OpenSSL:

      To prevent man-in-the-middle attacks against encrypted transfers
client

      streams now verify peer certificates by default. Previous
versions

      required users to manually enable peer verification. As a result
of this

      change, existing code using ssl:// or tls:// stream wrappers
(e.g.

      file_get_contents(), fsockopen(), stream_socket_client()) may no
longer

      connect successfully without manually disabling peer verification
via the

      stream context's "verify_peer" setting. Encrypted transfers
delegate to

      operating system certificate stores by default if not overridden
via the

      new openssl.cafile and openssl.cafile ini directives or via
call-time SSL

      context options, so most users should be unaffected by this
transparent

      security enhancement.
([1]https://wiki.php.net/rfc/tls-peer-verification)

    - Mcrypt:

      The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}()
functions no

      longer accept keys or IVs with incorrect sizes. Furthermore an IV
is now

      required if the used block cipher mode requires it.

We shouldn't request users to read the full upgrade notes for 2
reasons:

 1. We have nothing to gain from users reading that. We should simply
    inform them for their own good.
 2. Even users usually don't need to read the full upgrade notes. Only
    a minority of developers want to read the full upgrade notes. Even
    the backwards-incompatible changes don't need to be read on many
    systems which only use packaged PHP scripts.

Note that there is no /usr/share/doc/php5-common/UPGRADING

UPGRADING is gzipped.

--
Filipus Klutiero
[2]http://www.philippecloutier.com

_______________________________________________

pkg-php-maint mailing list

[3]pkg-php-maint@lists.alioth.debian.org

[4]http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-main
t

--
Ondřej Surý <[5]ondrej@sury.org>
Knot DNS ([6]https://www.knot-dns.cz/) – a high-performance DNS server

References

1. https://wiki.php.net/rfc/tls-peer-verification
2. http://www.philippecloutier.com/
3. mailto:pkg-php-maint@lists.alioth.debian.org
4. http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
5. mailto:ondrej@sury.org
6. https://www.knot-dns.cz/

[Message part 2 (text/html, inline)]
Hi Thijs,

On 2014-06-19 10:42, Thijs Kinkhorst wrote:
> On Thu, June 19, 2014 16:10, Filipus Klutiero wrote:
>> Package: php5
>> Version: 5.6.0~beta4+dfsg-4
>> Severity: wishlist
>>
>> The 5.6.0~beta4+dfsg-2 changelog entry reads:
>> We shouldn't request users to read the full upgrade notes for 2 reasons:
>>
>>   1. We have nothing to gain from users reading that. We should simply
>> inform them for their own good.
> So we have nothing to gain from users reading upgrade notes but we should
> simply inform them? This is an internal contradiction: we shouldn't have
> users read upgrade nodes but they should know about upgrade issues.

I wouldn't say that we "shouldn't have users read upgrade notes". What I was saying is that if there is a benefit to users reading upgrade notes, we're not those who enjoy it, users are. It's fine to say "We recommend to read the upgrade notes, which are available in [...]", but not to ask users to read.

>   Right.
>
> [...]

> I see no issue here. Cheers, Thijs 

-- 
Filipus Klutiero
http://www.philippecloutier.com

[Message part 1 (text/plain, inline)]
reopen 752086
reopen 752085
thanks

On 2014-06-19 10:44, Ondřej Surý wrote:
> Version: 5.6.0~beta4+dfsg-5
>
> # or some other future version...
>
> For god sake, could you send a patch with proposed changes next time instead of filling bug reports for such minor stuff?

When you'll be asked to read a document more than 5 pages long uselessly, you won't qualify your waste of time as "minor".

For God's sake, why did this message close #752085? Do *not* close reports using versions which do not exist.

> O.
> On Thu, Jun 19, 2014, at 16:10, Filipus Klutiero wrote:
>> Package: php5
>> Version: 5.6.0~beta4+dfsg-4
>> Severity: wishlist
>> The 5.6.0~beta4+dfsg-2 changelog entry reads:
>>>   * Please read full upgrade notes available from
>>>     /usr/share/doc/php5-common/UPGRADING
>>>   * Here are the backwards incompatible changes as listed by upstream:
>>>     - Core:
>>>       By fixing bug #66015 it is no longer possible to overwrite keys in static scalar
>>>       arrays. Quick example to illustrate:
>>>       class Test {
>>>            const FIRST = 1;
>>>            public $array = array(
>>>                self::FIRST => 'first',
>>>                'second',
>>>                'third'
>>>            );
>>>       }
>>>       Test::$array will have as expected three array keys (1, 2, 3) and no longer
>>>       two (0, 1). self::FIRST will no longer overwrite 'third' having key 1 then,
>>>       but will mark the beginning of indexing.
>>>     - JSON:
>>>       json_decode() no longer accepts non-lowercase variants of lone JSON true,
>>>       false or null values. For example, True or FALSE will now cause json_decode to
>>>       return NULL and set an error value you can fetch with json_last_error().
>>>       This affects JSON texts consisting solely of true, false or null. Text
>>>       containing non-lowercase values inside JSON arrays or objects has never been
>>>       accepted.
>>>     - OpenSSL:
>>>       To prevent man-in-the-middle attacks against encrypted transfers client
>>>       streams now verify peer certificates by default. Previous versions
>>>       required users to manually enable peer verification. As a result of this
>>>       change, existing code using ssl:// or tls:// stream wrappers (e.g.
>>>       file_get_contents(), fsockopen(), stream_socket_client()) may no longer
>>>       connect successfully without manually disabling peer verification via the
>>>       stream context's "verify_peer" setting. Encrypted transfers delegate to
>>>       operating system certificate stores by default if not overridden via the
>>>       new openssl.cafile and openssl.cafile ini directives or via call-time SSL
>>>       context options, so most users should be unaffected by this transparent
>>>       security enhancement. (https://wiki.php.net/rfc/tls-peer-verification)
>>>     - Mcrypt:
>>>       The mcrypt_encrypt(), mcrypt_decrypt() and mcrypt_{MODE}() functions no
>>>       longer accept keys or IVs with incorrect sizes. Furthermore an IV is now
>>>       required if the used block cipher mode requires it.
>> We shouldn't request users to read the full upgrade notes for 2 reasons:
>>
>>  1. We have nothing to gain from users reading that. We should simply inform them for their own good.
>>  2. Even users usually don't need to read the full upgrade notes. Only a minority of developers want to read the full upgrade notes. Even the backwards-incompatible changes don't need to be read on many systems which only use packaged PHP scripts.
>>
>> Note that there is no /usr/share/doc/php5-common/UPGRADING
>> UPGRADING is gzipped.
>> -- 
>> Filipus Klutiero
>> http://www.philippecloutier.com
>> _________________________________________________
>> pkg-php-maint mailing list
>> pkg-php-maint@lists.alioth.debian.org <mailto:pkg-php-maint@lists.alioth.debian.org>
>> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-php-maint
> --
> Ondřej Surý <ondrej@sury.org <mailto:ondrej@sury.org>>
> Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

-- 
Filipus Klutiero
http://www.philippecloutier.com

[Message part 2 (text/html, inline)]

Debian Bug report logs - #752086 [php5] Please do not request users to read UPGRADING in NEWS.Debian

Debian Bug report logs - #752086
[php5] Please do not request users to read UPGRADING in NEWS.Debian