Debian Bug report logs - #757342
wheezy-pu: package php5/5.4.31-0+deb7u1

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: wheezy-pu: package php5/5.4.31-0+deb7u1

Date: Thu, 07 Aug 2014 11:37:30 +0200

Package: release.debian.org
Severity: normal
Tags: wheezy
User: release.debian.org@packages.debian.org
Usertags: pu

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Dear release team,

as discussed on #debian-release about possibility of having minor PHP5
updates instead of hoarding various upstream patches, I am submitting
a w-p-u bug to discuss that and to summarize my findings (and my
positive attitude :).

++++++++
UPSTREAM
++++++++

Upstream is doing (very) good job in not breaking the BC in the stable
branches (e.g. 5.4.x, 5.5.x, 5.6.x) and only had one major regression
in last couple of years that was quickly fixed (5.4.18->5.4.19 &&
5.5.2->5.5.3).  There's also one edge case that was forced by security
requirements (the serialization of internals objects[*]) introduced in
5.4.29 and fixed in 5.4.30.

The release process is documented in `PHP-RFC`_ and is followed by the
PHP release team/manager:

* x.y.z to x.y.z+1

 * Bugfixes only (with a room for exceptions on a case by case basis
   and only for small self contained features additions).
 * Extensions support can't be removed (like move them to pecl)
 * Backward compatibility must be kept (internals and userland)
 * ABI/API compatibility must be kept (internals)

.. _PHP-RFC: https://wiki.php.net/rfc/releaseprocess

Upstream tests in 32-bit and 64-bit x86 (intel/amd64) and they do not
currently have the infrastructure to test on more archs.  They test
major PHP software before each release (symfony, drupal, wp, joomla,
phpunit and a couple of other under windows and partially under
linux.)

I am also subscribed to PHP security list, so I closely watch the
upcoming security updates and my general feeling is ok.

+++++++++++++++++
PACKAGING REMARKS
+++++++++++++++++

I have synced the 5.4.31-0+deb7u1 with 5.4.4-14+deb7u13 so the
5.4.31-0+deb7u1 package contains only minimal changes:

 * drop the suhosin remarks from debian/* (it's not used anyway)
 * bump the d/source/format to 3.0 (quilt) and remove the quilt hacks
   from d/rules
 * removed merged upstream patches from d/patches/

++++++++++++
TEST RESULTS
++++++++++++

The php5-common package contains compressed upstream test results in
/usr/share/doc/php5/test-results.txt.gz

There are already couple of failed tests in 5.4.4-14+deb7u13, so I'll
just focus on the differences.

The comparison between FAILED tests in 5.4.4-14+deb7u13 and
5.4.31-0+deb7u1:

Bugs fixed in the new release
- -----------------------------

- -Bug #62653: unset($array[$float]) causes a crash [Zend/tests/bug62653.phpt]
- -Bug #65579 (Using traits with get_class_methods causes segfault) [Zend/tests/bug65579.phpt]
- -Bug #55283 (SSL options set by mysqli_ssl_set ignored for MySQLi persistent connections) [ext/mysqli/tests/bug55283.phpt]
- -PDO SQLite Feature Request #42589 (getColumnMeta() should also return table name) [ext/pdo_sqlite/tests/bug_42589.phpt]
- -Multicast support: IPv6 receive options [ext/sockets/tests/mcast_ipv6_recv.phpt]
- -Test uniqid() function : basic functionality [ext/standard/tests/general_functions/uniqid_basic.phpt]
- -Bug #48562 (Reference recursion causes segfault when used in wddx_serialize_vars()) [ext/wddx/tests/bug48562.phpt]

Improved test description
- -------------------------

- -Bug #43073 (TrueType bounding box is wrong for angle<>0) [ext/gd/tests/bug43073.phpt]
+Bug #43073 (TrueType bounding box is wrong for angle<>0) freetype < 2.4.10 [ext/gd/tests/bug43073.phpt]
- -Bug #48801 (Problem with imagettfbbox) [ext/gd/tests/bug48801.phpt]
+Bug #48801 (Problem with imagettfbbox) freetype < 2.4.10 [ext/gd/tests/bug48801.phpt]
- -Test function gzgetc() by calling it with its expected arguments [ext/zlib/tests/gzgetc_basic.phpt]
+Test function gzgetc() by calling it with its expected arguments zlib 1.2.5 [ext/zlib/tests/gzgetc_basic.phpt]

New tests that fail
- -------------------

There's a couple of failing MySQL tests already with:
> Warning: mysqli::mysqli(): (HY000/2003): Can't connect to MySQL
> server on '127.0.0.1' (111) in
> <<builddir>>/ext/mysqli/tests/bug66043.php on line 3

It needs to be fixed anyway, and these two bugs are just added on top
of the pile of failed tests:
+Bug #62046     mysqli@mysqlnd can't iterate over stored sets after call to mysqli_stmt_reset() [ext/mysqli/tests/bug62046.phpt]
+Bug #66762     mysqli@libmysql segfault in mysqli_stmt::bind_result() when link closed [ext/mysqli/tests/bug66762.phpt]

We patch PHP to use system timezone database and it doesn't know the
test timezone (ASIA/Chongqing):
+Bug #60723  (error_log error time has changed to UTC ignoring default timezo) [ext/standard/tests/general_functions/bug60723.phpt]

Discovered regressions
- ----------------------

All these tests are online tests and they failed on "Host lookup
failed" or similar.  They all work when run by hand in the chrooted
wheezy.  We should probably disable the online tests anyway, since
they will fail anyway on firewalled build host.

+ext/sockets - socket_bind - basic test [ext/sockets/tests/socket_bind.phpt]
+gethostbyname() function - basic return valid ip address test [ext/standard/tests/network/gethostbyname_error004.phpt]
+getmxrr() test [ext/standard/tests/network/getmxrr.phpt
+http-stream test [ext/standard/tests/network/http-stream.phpt]

Build host related failures
- ---------------------------

These three tests fails now with 5.4.4-14+deb7u13 as well.  I have
switched my build host to lxc container, so it's probably related to
missing multicast capabilities.

+Multicast support: IPv4 receive options [ext/sockets/tests/mcast_ipv4_recv.phpt]
+Multicast support: IPv4 send options [ext/sockets/tests/mcast_ipv4_send.phpt]
+Bug #63000: Multicast on OSX [ext/sockets/tests/bug63000.phpt] # NEW TEST

+++++++++++++
Other remarks
+++++++++++++

I run PHP 5.4 PPA for Ubuntu (ppa:ondrej/php5-oldstable) that is
probably most used PPA for updating PHP5 in Ubuntu (according to
number of questions on stackoverflow sites and the google results for
"how to update php5 in ubuntu").  I have never received a single
complaint about broken compatibility in x.y.z+1 update so far.

+++++++++
ToDo list
+++++++++

* Doublecheck the patch list from 5.4.4-14+deb7u13 for any still
  relevant patches #MANDATORY
* Extract FAILED TEST SUMMARY from test-results, compare them with
  last known state and fail if they differ (this should be arch
  specific) #MANDATORY
* Reduce the number of FAILED TESTS either by fixing them, moving them
  to XFAIL or SKIPing them #WISHIHADMORETIME

Ondrej

- -- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (990, 'testing'), (700, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJT40jWAAoJEAyZtw70/LsHafwQAI73Ady32AZpdMFF6xhCbjwf
uk7vl5C5O5Tgh7NiYdeEF2QpEBn6slDQsnjFiEntes8+XPl+9T/BFMOCWftAIZPV
wZjDmNF2Z6dsyRYo6QWqK3RRjVSbcr40QnW2E87Zzv1cdP9E0jjAGgH0eOxa3Cgv
qRiTWZDsUaYcsOcaJPCqJQFrf7da5CfjsLHgS84j4Sw2b595kuubIu/h4BwjAXFs
u3AO/k91j9B0aEs+vnHTedmqqq3Q1es69XxOp9Yg+Q1Om4UGtHbJ9uoZmEgvonLn
6JwXvOWawQe2N9nmXOS4SEpETdkSKUvlEIK7dqM4be4ztXt/FFvrjCnCdg8Tu+XA
beXGOMzpTudIHtBsuIvw6Ac5Zqv67XEf2VtpGScZSATPwoRRiPpk1xVdFT1RFS5Y
e+VlpcqhL2psWmGMdmWFOOgPWpcRkAd7HJa/jblyChNpxZmqNrNGTS5J+Y80ImG0
/I6e3ac8KhSeDwg2kT6k9eJEVDrXeKdwFDFkBuSYdjVSHnVGNHkw7Wy1Pbh+DILi
poT/IszwQ7pxIjB/FK0hAHRay/j8fT9UFvdictvUsgdAzn3DmCL1+ZEPYc2oryfA
/tW9R4F9tJYdkmZJEJh/iqYzjqSGSDYNF765yQfSmxNRwLnEkFaajPREoGCzDp5Y
6DmuIImsd0qC0ggjGzFN
=C2Nd
-----END PGP SIGNATURE-----

Message #10 received at 757342@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Ondřej Surý <ondrej@debian.org>

Cc: 757342@bugs.debian.org

Subject: Re: wheezy-pu: package php5/5.4.31-0+deb7u1

Date: Wed, 20 Aug 2014 11:53:36 +0200

On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
> Package: release.debian.org
> Severity: normal
> Tags: wheezy
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Dear release team,
> 
> as discussed on #debian-release about possibility of having minor PHP5
> updates instead of hoarding various upstream patches, I am submitting
> a w-p-u bug to discuss that and to summarize my findings (and my
> positive attitude :).

If you as the primary PHP maintainer consider upstream QA work on 
minor point updates to be of sufficient quality, we can follow them
for future security updates. That policy has served us very well for
psql, e.g.

Cheers,
        Moritz

Message #15 received at 757342@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 757342@bugs.debian.org

Subject: Re: wheezy-pu: package php5/5.4.31-0+deb7u1

Date: Wed, 20 Aug 2014 12:07:03 +0200

On Wed, Aug 20, 2014, at 11:53, Moritz Mühlenhoff wrote:
> On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
> > Package: release.debian.org
> > Severity: normal
> > Tags: wheezy
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > 
> > Dear release team,
> > 
> > as discussed on #debian-release about possibility of having minor PHP5
> > updates instead of hoarding various upstream patches, I am submitting
> > a w-p-u bug to discuss that and to summarize my findings (and my
> > positive attitude :).
> 
> If you as the primary PHP maintainer consider upstream QA work on 
> minor point updates to be of sufficient quality, we can follow them
> for future security updates. That policy has served us very well for
> psql, e.g.

Do I read that correctly as "no need to go through s-p-u"?

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #20 received at 757342@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: Ondřej Surý <ondrej@debian.org>

Cc: team@security.debian.org, 757342@bugs.debian.org

Subject: Re: wheezy-pu: package php5/5.4.31-0+deb7u1

Date: Tue, 26 Aug 2014 13:54:08 +0200

On Wed, Aug 20, 2014 at 12:07:03PM +0200, Ondřej Surý wrote:
> On Wed, Aug 20, 2014, at 11:53, Moritz Mühlenhoff wrote:
> > On Thu, Aug 07, 2014 at 11:37:30AM +0200, Ondřej Surý wrote:
> > > Package: release.debian.org
> > > Severity: normal
> > > Tags: wheezy
> > > User: release.debian.org@packages.debian.org
> > > Usertags: pu
> > > 
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > > 
> > > Dear release team,
> > > 
> > > as discussed on #debian-release about possibility of having minor PHP5
> > > updates instead of hoarding various upstream patches, I am submitting
> > > a w-p-u bug to discuss that and to summarize my findings (and my
> > > positive attitude :).
> > 
> > If you as the primary PHP maintainer consider upstream QA work on 
> > minor point updates to be of sufficient quality, we can follow them
> > for future security updates. That policy has served us very well for
> > psql, e.g.
> 
> Do I read that correctly as "no need to go through s-p-u"?

If there are security issues worth a DSA, the PHP point relesae can be released
through security.debian.org, otherwise they need to go through s-p-u. That's
the same way we handled Postgres or the kernel (which also is based on the 3.2.x
point releases)

Cheers,
        Moritz

Message #25 received at 757342@bugs.debian.org (full text, mbox, reply):

From: Ondřej Surý <ondrej@sury.org>

To: Debian Security Team <team@security.debian.org>, 757342@bugs.debian.org

Subject: PHP 5.4.34 released

Date: Fri, 17 Oct 2014 16:28:17 +0200

Hi,

so... PHP 5.4.34 has been released that fixes CVE-2014-3668,
CVE-2014-3669 and CVE-2014-3670.

Do you think, that in line what has been said in #757342, we could try
updating this as 5.4.34 instead of cherry-picking the changes?

Cheers,
-- 
Ondřej Surý <ondrej@sury.org>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server

Message #30 received at 757342@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: 757342@bugs.debian.org

Subject: Re: Bug#757342: PHP 5.4.34 released

Date: Sat, 08 Nov 2014 23:24:41 +0100

Hi,

Ondřej Surý wrote (17 Oct 2014 14:28:17 GMT) :
> Do you think, that in line what has been said in #757342, we could try
> updating this as 5.4.34 instead of cherry-picking the changes?

I see that 5.4.34-0+deb7u1 is in wheezy-security, and was also
accepted in wheezy-p-u. Shall we then close this bug, or are stable pu
bugs handled differently? (e.g. I could imagine that bugs are only
closed at point-release time, or tagged in some way)

Cheers,
--
intrigeri

Message #35 received at 757342-done@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: intrigeri <intrigeri@debian.org>, 757342-done@bugs.debian.org

Subject: Re: Bug#757342: PHP 5.4.34 released

Date: Sat, 8 Nov 2014 22:44:07 +0000

[Message part 1 (text/plain, inline)]

On Sat, Nov  8, 2014 at 23:24:41 +0100, intrigeri wrote:

> Hi,
> 
> Ondřej Surý wrote (17 Oct 2014 14:28:17 GMT) :
> > Do you think, that in line what has been said in #757342, we could try
> > updating this as 5.4.34 instead of cherry-picking the changes?
> 
> I see that 5.4.34-0+deb7u1 is in wheezy-security, and was also
> accepted in wheezy-p-u. Shall we then close this bug, or are stable pu
> bugs handled differently? (e.g. I could imagine that bugs are only
> closed at point-release time, or tagged in some way)
> 
Let's close this.

Cheers,
Julien

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.