Please merge PHP 5.4 from Debian

Clint has been looking into this, there may well be a bug that is duplicates.

Thanks.

The work is only tracked right now in this blueprint:

https://blueprints.launchpad.net/ubuntu/+spec/servercloud-p-php54

The trouble right now is that Suhosin is not yet available for PHP 5.4.0. I've sent a message asking the Suhosin developers what the status of that is, and built a PPA for testing at ppa:clint-fewbar/php5 (still building at the moment).

Clint, I have already PHP 5.4 built for lucid to oneiric in my PPA and people are already using it (I have already received some bug reports).

I think that the biggest obstacle is changed API/ABI and need to do the transition for packages which build binary modules (/usr/lib/php5/<phpapi>/<module>.so).

Excerpts from Ondřej Surý's message of Wed Mar 07 17:44:53 UTC 2012:
> Clint, I have already PHP 5.4 built for lucid to oneiric in my PPA and
> people are already using it (I have already received some bug reports).
>
> I think that the biggest obstacle is changed API/ABI and need to do the
> transition for packages which build binary modules
> (/usr/lib/php5/<phpapi>/<module>.so).

Ondrej, can you please update the blueprint whiteboard with pointers to
your PPA? It seems I'm duplicating a lot of work you've already done!

Updated.

It would be nice if somebody could try to recompile all reverse Build-depends in Ubuntu (and start pulling fixes from Debian + upstream).

I will not have a time for that in next week or two.

It would be really nice to have 5.4 in this LTS.

5.4 bring significant performances (10 to 20%) and memory usage enhancements (up to 43% less memory usage) .

Transition status in Debian:

- Most packages binNMUable

Rest:
ming - patch needed; NMUed (already in Unstable)
ossp-uuid - upstream fix needed; going to drop php5-uuid (no rev-dep); will NMU DELAYED/5 soon, wrote maintainer yesterday
php-auth-pam - RM requested
php-imlib - patch needed; NMU DELAYED/5
php-suhosin - upstream fix needed; ETA unknown
xdebug - upstream fix in 2.2rc1; ETA: this weekend
zeroc-ice - upstream fix pulled; NMU DELAYED/5
graphviz - patch needed; NMU DELAYED/5
poker-network - upstream broken for other reasons (Python transition; not in testing)
ffmpeg-php - upstream broken for other reasons (FTBFS with ffmpeg 0.6; not in testing)

I think it should be almost safe for Ubuntu to pull PHP 5.4

Thanks Ondrej. I feel pretty good that we should be capable of pushing 5.4.0 into 12.04 if we can move soon (next 7 days or so). I am waiting for information on Suhosin (upstream seems to have gone silent.. maybe I missed where they decided not to ship Suhosin for 5.4 at all?) and whether or not we are willing to ship without it.

On Wed, Mar 14, 2012 at 18:50, Clint Byrum <email address hidden> wrote:
> Thanks Ondrej. I feel pretty good that we should be capable of pushing
> 5.4.0 into 12.04 if we can move soon (next 7 days or so). I am waiting
> for information on Suhosin (upstream seems to have gone silent.. maybe I
> missed where they decided not to ship Suhosin for 5.4 at all?) and

Jan Wagner (maintainer of php-suhosin) told me, that he got response
from Stefan, that he will update suhosin for PHP 5.4 after the
release. But no more information after that. And the
https://github.com/stefanesser/suhosin has been also silent. Who
knows...

But he is obviously alive: https://github.com/stefanesser/.ipa-PIE-Scanner

> whether or not we are willing to ship without it.

Well, maybe you can ship without and then release a security update
with suhosin updated?

> You received this bug notification because you are subscribed to php5 in
> Ubuntu.
> https://bugs.launchpad.net/bugs/948156
>
> Title:
>  Include PHP 5.4 to Ubuntu 12.04  release
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/php5/+bug/948156/+subscriptions

--
Ondřej Surý <email address hidden>

How about leaving Suhosin for now?

You should definitely leave Suhosin because we can not afford to wait for it and stay at php-5.3 for the next years. php-5.4 is definitely too important. I would appreciate going that way.

+1 for php-5.4 in 12.04!

Let me know if you need anything Xdebug wise. I don't know what your deadlines are but 2.2.0 (with PHP 5.4 support is on the way).

Leaving Suhosin would be potentially leaving our users vulnerable, and adding pressure to the security team when new problems are found. The trade off is of course that in 2 years, when upstream PHP drops 5.3, we'll still be backporting security fixes to 12.04's 5.3.10.

The timing of 5.4.0 has been most unfortunate. Had it landed in January, perhaps Suhosin would have been updated in time.

At this point, its not looking good, unless a compelling argument for dropping Suhosin is made, or Suhosin releases in the next couple of days. In discussing with the security team, there's a strong desire to ship PHP 5.4.0+Suhosin, but quite a bit of hesitation in shipping 5.4.0 without it.

Anyway, Once beta2 freezes later this week, I think its over.

Thus far, I think I'd rather have a well known stabilized PHP 5.3 with Suhosin than 5.4.0 without Suhosin.

I appreciate the effort everyone has been putting into this, and I still have hope, but time is quite short now.

Hi Clint,

You tried to talk to the Suhosin developers about this, didn't they get back to you?

It's indeed not an easy choice. Keep 5.3.x in ( stable, well-tested, no surprises ) but face with a dangerous forced upgrade 2 years down the road, or throw in 5.4 now and stabilise it + add suhosin when ready, maybe causing issues/bugs at first, but smoothing out over time.

Even though my own production-quality mindset says to stay with 5.3, I would rather have 5.4 right away ( since most production systems won't be running Precise in the first month without testing anyways ) and be relaxed with the knowledge that i will have to retest a big amount of php websites because of a update in a release that has been stable for 2 years..

Having 5.4.0 now, 5.4.1+suhosin in april/may, 5.4.2, ... etc would be prefered as opposed to having to switch from 5.3.x(?) to 5.4.10 over-night..

Just my 2 cents ;)

Clint, you know I don't think serious productions would go with Ubuntu 12.04 LTS immediately after it's release.

They would still use older one (even 11.10). For some serious production people would definitely start using new LTS starting from 12.04.1 or so.

PHP 5.4 is a big step forward! By not including it in the upcoming release would lead to many installation of PHP 5.4 by hand.
And would ask backports a lot :) that's headache is more than for the security team. But it's headache for users, not for security team.

Having PHP 5.4 without Suhosin for sometime and then updating it later (when it comes) is surely better than having and old version of PHP for years in this LTS.

Is it possible to have 5.3.10 for Server and 5.4 for Desktop?

Stefan Esser's response about suhosin for php 5.4
https://twitter.com/#!/i0n1c/status/180216025357361153

What they should do is offer both kinds of packages concurrently:
php5.4 and php5.3
(this is kind of like they did with wine1.0 and wine1.2 supported)

eg:
sudo apt-get install php5.4 php5.4-cli php5.4-xdebug
or
sudo apt-get install php5.3 php5.3-cli php5.3-xdebug

I hope PHP 5.4 will make it in 12.04. My webhoster is going to upgrade from 5.2 to 5.3 in Q2/2012.
A support of PHP 5.4 would raise the pressure on such legacy webhoster.

Sorry everyone, the lack of an available Suhosin patch for 5.4 has kept this out of 12.04.

sad

As long as there's a solid backport/PPA, this is a few lines in chef. Lets just hope enough people use them instead of building around 5.3 for the next 3 years.

Developers in Archlinux where solving the same problem with Suhosin and decided to stop using it. https://pierre-schmitz.com/php-5-4-1-in-suhosin-out/

FYI, we dropped Suhosin as well, though our security team is hopeful that it will return some day, or perhaps the more cogent mitigations will land in php itself.

Cool! Any chance to bring it to Precise via backports?

+1 for PHP 5.4 in precise-backports. Does that require a new bug to be filed to keep track of?

PHP 5.4 changes API, so a PHP backport would need to also to backport all it's rev-deps and this is quite a major task.

I don't think it's feasible to officially maintain such a huge backport (the other thing is my PPA which includes PHP 5.4 backport including some of it's reverse dependencies people has asked for.)

Nuts. What a bummer it didn't make 12.04. Is there an easy way I can list out the rev-deps to get an idea for the scope of this?

http://wiki.debian.org/PHP/54Transition

Are there any updates on this request? What is the current status? Debian is shipping 5.4 for a while now without any problems.

@Leo: No, and although I am not a Ubuntu PHP maintainer I have already explained why this won't happen in precise. API and ABI changes are quite major to _just_ backport package like that.