[gentoo-dev] Last rites: dev-php5/pecl-zip
# Christian Hoffmann hof...@gentoo.org (12 Apr 2009) # Masked for security (bug 265756), unmaintained upstream (last release # two years ago), will be removed in 30 days. Use dev-lang/php with # USE=zip as a replacement, which is actively maintained and has more # features. dev-php5/pecl-zip http://bugs.gentoo.org/show_bug.cgi?id=265756 -- Christian Hoffmann signature.asc Description: OpenPGP digital signature
[gentoo-dev] Re: [gentoo-dev-announce] Automated Package Removal and Addition Tracker, for the week ending 2008-08-10 23h59 UTC
On 2008-08-11 02:15, Robin H. Johnson wrote: Removals: www-apps/knowledgetree 2008-08-09 21:22:58 hoffie dev-php4/ZendOptimizer 2008-08-09 21:53:34 robbat2 dev-php4/adodb-ext 2008-08-09 21:53:34 robbat2 dev-php4/creole 2008-08-09 21:53:35 robbat2 dev-php4/eaccelerator 2008-08-09 21:53:36 robbat2 dev-php4/ffmpeg-php 2008-08-09 21:53:36 robbat2 dev-php4/jargon 2008-08-09 21:53:37 robbat2 dev-php4/jpgraph2008-08-09 21:53:38 robbat2 dev-php4/pecl-apc 2008-08-09 21:53:38 robbat2 dev-php4/pecl-crack 2008-08-09 21:53:39 robbat2 dev-php4/pecl-fileinfo 2008-08-09 21:53:41 robbat2 dev-php4/pecl-http 2008-08-09 21:53:41 robbat2 dev-php4/pecl-id3 2008-08-09 21:53:42 robbat2 dev-php4/pecl-imagick 2008-08-09 21:53:43 robbat2 dev-php4/pecl-json 2008-08-09 21:53:43 robbat2 dev-php4/pecl-mailparse 2008-08-09 21:53:44 robbat2 dev-php4/pecl-memcache 2008-08-09 21:53:45 robbat2 dev-php4/pecl-pdflib2008-08-09 21:53:46 robbat2 dev-php4/pecl-ps2008-08-09 21:53:47 robbat2 dev-php4/pecl-radius2008-08-09 21:53:47 robbat2 dev-php4/pecl-sqlite2008-08-09 21:53:48 robbat2 dev-php4/pecl-tidy 2008-08-09 21:53:49 robbat2 dev-php4/pecl-translit 2008-08-09 21:53:49 robbat2 dev-php4/pecl-yaz 2008-08-09 21:53:50 robbat2 dev-php4/pecl-zip 2008-08-09 21:53:51 robbat2 dev-php4/php-java-bridge2008-08-09 21:53:51 robbat2 dev-php4/phpdbg 2008-08-09 21:53:52 robbat2 dev-php4/phpunit2008-08-09 21:53:53 robbat2 dev-php4/suhosin2008-08-09 21:53:54 robbat2 dev-php4/syck-php-bindings 2008-08-09 21:53:54 robbat2 dev-php4/xcache 2008-08-09 21:53:55 robbat2 dev-php4/xdebug 2008-08-09 21:53:55 robbat2 Actually, all those were removed by robbat2 on behalf of me (directly on the CVS server for performance reasons) and I doubt robbat2 wants to be listed as the contact in case of any b0rkage in this case. ;) So, sed -r 's:^(dev-php4.*)robbat2$:\1hoffie:' if you want to be 100% accurate ;) -- Christian Hoffmann signature.asc Description: OpenPGP digital signature
[gentoo-dev] Final removal of php-4*
Heya, it's August 8th, which is the date of official discontinuation of any work on php-4 (even security-related) on upstream-side [1] [2]. On gentoo, =dev-lang/php-4* has already been masked for security reasons since Oct 19th 2007, along with everything which depends on it. Removal from our tree was initially announced for Jan 1st 2008, but we decided to postpone it until today to give users even more time to migrate. That means, I'm going to remove all php-4-related things today: * dev-php4/ (will be done by infra) * dev-lang/php/php-4* Basically: Everything explicitly listed in package.mask because of php-4. Also, several adjustments to ebuilds, which are still referring to dev-php4/* names (e.g. because of blocks or || ( a b ) deps), will be made by me today. If you (or your company) have still not upgraded (you probably should not run such a setup anyway, at least if it's publicly accessible), you might be interested in the yet to be created php4 overlay [3], which will be accessible using layman once it is available. As always, feel free to contact the php team by mail [4] or IRC (Freenode / #gentoo-php). [1] http://www.php.net/archive/2007.php [2] http://www.php.net/archive/2008.php#id2008-08-07-1 [3] http://overlays.gentoo.org/proj/php/browser [4] [EMAIL PROTECTED] -- Christian Hoffmann signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Jeeves IRC replacement now alive - Willikins
On 2008-08-06 23:18, Robin H. Johnson wrote: Hi folks, Sorry that it's taken this long to get completed, but the Jeeves replacement, Willikins, is finally 99% done, and ready to join lots of channels. Getting the bot out there - If you would like to have the new bot in your #gentoo-* channel, would each channel founder/leader please respond to this thread, stating the channel name, and that they are the contact for any problems/troubles. I'd at least want him in #gentoo-php. I can't speak for the security team, but I'm really pretty sure, we'd want him in #gentoo-security as well. So, please let him join: #gentoo-php #gentoo-security -- Christian Hoffmann signature.asc Description: OpenPGP digital signature
[gentoo-dev] USE=threads vs. USE=threadsafe
Heya, while I was emerging dev-libs/sqlite, I noticed that it uses USE=threadsafe to distinguish between threadsafe and non-threadsafe builds. While this is not strange per-se, lots of (?) other packages seem to make that decision based on USE=threads (dev-lang/php, dev-db/postgresql-base, ...). I think we should be consistent here, i.e. either change the two packages, which are using USE=threadsafe (dev-libs/sqlite and dev-lang/spidermonkey), to use threads instead or the other way round. I guess the easiest way would be to move from threadsafe to threads, but I'm not sure whether this is really the better alternative. threadsafe sounds more appropriate to me in those cases, but there would probably be a huge amount of work required to change that. Now the question is: What do you think is the better way of making this consistent? :) -- Christian Hoffmann signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: FRC: debtools herd creation
On 2008-05-20 08:56, Natanael Copa wrote: On Fri, 2008-05-16 at 20:06 +0200, Diego 'Flameeyes' Pettenò wrote: Yuri Vasilevski [EMAIL PROTECTED] writes: I will be adding some debian build tools to the tree, and would like to create the debtools herd to associate with the packages. Just please don't add Debian-OpenSSL ;) actually, the ssh-keyvuln would be nice. see #221759 Our security team is currently discussing this (or rather something similar) on oss-sec with other distribution maintainers. It certainly is a work in progress. :) -- Christian Hoffmann signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: Upcoming masking of dev-lang/php-4* and packages depending on it
On 2007-10-11 at 07:58 +0200, Christian Faulhammer wrote: Marius Mauch [EMAIL PROTECTED]: On Sun, 7 Oct 2007 15:13:49 +0200 Christian Hoffmann [EMAIL PROTECTED] wrote: I'm going to p.mask =dev-lang/php-4* and all packages explicitly depending on this version of php (i.e. the whole dev-php4/ category (36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1]) next weekend (around Oct 14th). This step is necessary as there is hardly any upstream activity anymore. You should probably post that in a more user-oriented channel, like gentoo-announce and/or the forums to reduce the number of surprised users [1] Ok, haven't seen the thread, but it's probably a very good idea to post something to -announce / forums anyway. I'll do that later today. We'll also move the date of masking to Oct 18th, so that the wider userbase has one full week time to prepare for the masking as well. :) Or even write a short summary for the GWN...they would be happy about it. I already submitted something on the same day I sent the -dev{,-announce} mail. -- Christian Hoffmann Gentoo PHP herd signature.asc Description: PGP signature
Re: [gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it
On 2007-10-10 at 22:44 -0700, Josh Saddler wrote: Since you're doing the masking, can you please help out the GDP by reviewing a few of our documents for any potential changes that must be made? Grepping for php4 shows that there are references in the following docs: The occurences of -D PHP4 in all 4 documents can safely be replaced by -D PHP5, syntactically (assuming the software in question works with php-5 as well, but the ebuilds do not depend on =php-4* explictily, so I guess it's the case here). Additionally: 1. http://www.gentoo.org/doc/en/jffnms.xml sed s:apache2-php4:apache2-php5:g sed s:/usr/share/php4:/usr/share/php5: I'm not sure about the last sentence on the page: You may also run into problems when configuring Apache to work with PHP (specially if you run both PHP4 and PHP5 on the same system). In that case, our Configuring Apache to Work with PHP4 and PHP5 guide may give you some help. Maybe removing it completely would be best? 2. http://www.gentoo.org/doc/en/apache-troubleshooting.xml This is outdated regarding php anyway: $ equery depends www-servers/apache [ Searching for packages depending on www-servers/apache... ] dev-php/phpsysinfo-2.3-r2 dev-php/phpsysinfo-2.1-r2 dev-php/mod_php-4.3.11-r2 ^^ should be dev-lang/php-5.2.4_p20070914-r2 net-www/mod_layout-4.0.1a-r1 www-servers/gorg-0.5 (then rebuild any modules you have installed) # emerge -av '=dev-php/mod_php-4.3.11-r2' ^^ same here, must be '=dev-lang/php-5.2.4_p20070914-r2' (is it really useful to specify full versions here?) '=net-www/mod_layout-4.0.1.a-r1' I know that the PHP documentation itself needs a lot of updates, too, (not only regarding masking of php-4) and I'll try to work on it in the next weeks. -- Christian Hoffmann Gentoo PHP herd signature.asc Description: PGP signature
Re: [gentoo-dev] Last rites: dev-php5/pecl-pdo*
On 2007-10-08 at 05:37 +0200, Robert Buchholz wrote: On Thursday, 4. October 2007, Christian Hoffmann wrote: # Christian Hoffmann [EMAIL PROTECTED] (04 Oct 2007) # Outdated (no releases since May 2006), buggy and possibly vulnerable # to security problems Anything security-related you know of or just a wild guess? Not exactly a wild guess, I just didn't want to make a statement on whether these are security problems or not: * INFILE LOCAL option handling vs. open_basedir or safe_mode * A crash inside pdo_pgsql on some non-well-formed SQL queries (both from php-5.2.4 ChangeLog) That's why I said possibly. :) -- Christian Hoffmann Gentoo PHP herd signature.asc Description: PGP signature
[gentoo-dev] Upcoming masking of dev-lang/php-4* and packages depending on it
Heya, I'm going to p.mask =dev-lang/php-4* and all packages explicitly depending on this version of php (i.e. the whole dev-php4/ category (36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1]) next weekend (around Oct 14th). This step is necessary as there is hardly any upstream activity anymore. The last official version of php-4, 4.4.7, dates back to May 3rd and is in the same state as php-5.2.2 security-wise (and we all know how many issues php-5 had in the past, just have a look at the recently published GLSA 200710-02 [2]). All those security problems, which were fixed in the 5.2 branch, possibly apply to the 4.4 branch as well, yet there are no (backported) fixes in upstream CVS and there is no sign of an upcoming release either. This means, if we were to continue php-4 support we would have to do the upstream work and compile a list of issues + patches. Upstream developers seem to see it the same way -- if you really want to get it done - do it was one reply when I asked what's up with php-4. Noone from our PHP team has the time and motiviation to do that work, and as such we are going to mask it (unless someone volunteers to do the work and/or upstream becomes active again). We will still keep php-4 (and all related packages) in the tree until at least the end of the year (this is the date where official upstream support ends) and bump it if (and not when...) there are any releases. We advise all users of of php-4 to upgrade to php-5 as soon as possible. [1] https://bugs.gentoo.org/show_bug.cgi?id=194894 [2] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml -- Christian Hoffmann Gentoo PHP herd signature.asc Description: PGP signature
[gentoo-dev] Last rites: dev-php5/pecl-pdo*
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 # Christian Hoffmann [EMAIL PROTECTED] (04 Oct 2007) # Outdated (no releases since May 2006), buggy and possibly vulnerable # to security problems # Masked for removal in 30 days # replacement: USE=pdo emerge =dev-lang/php-5* dev-php5/pecl-pdo # replacement: USE=pdo sybase mssql emerge =dev-lang/php-5* dev-php5/pecl-pdo-dblib # replacement: USE=pdo mysql emerge =dev-lang/php-5* dev-php5/pecl-pdo-mysql # replacement: USE=pdo oci8 emerge =dev-lang/php-5* dev-php5/pecl-pdo-oci # replacement: USE=pdo odbc emerge =dev-lang/php-5* dev-php5/pecl-pdo-odbc # replacement: USE=pdo pgsql emerge =dev-lang/php-5* dev-php5/pecl-pdo-pgsql # replacement: USE=pdo sqlite emerge =dev-lang/php-5* dev-php5/pecl-pdo-sqlite The pdo-external USE flag was already removed from all dev-lang/php-5.2* ebuilds (through php5_2-sapi.eclass) some days ago, php-5.1* is masked for removal anyway. Those external PDO packages do no longer serve any purpose (they are outdated, upstream does not seem to do any new releases at all) as php-5.2* includes the same set of features already (same code base, just more up-to-date). - -- Christian Hoffmann Gentoo PHP herd -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHBQQYJ9KLJlGHWYIRAgxkAJ0VVDQGJ8TII8yMTTA/BLZZI5hgEQCgr3ye WQgARkVTXpsnn6YlwdYX3cE= =VS7T -END PGP SIGNATURE-