Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:104988
Return-Path: <remi@fedoraproject.org>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15750 invoked from network); 29 Mar 2019 10:30:09 -0000
Received: from unknown (HELO relay10.mail.gandi.net) (217.70.178.230)
  by pb1.pair.com with SMTP; 29 Mar 2019 10:30:09 -0000
Received: from builder.remirepo.net (unknown [176.167.185.44])
	(Authenticated sender: contact@ll-experts.com)
	by relay10.mail.gandi.net (Postfix) with ESMTPSA id 49650240004
	for <internals@lists.php.net>; Fri, 29 Mar 2019 07:24:12 +0000 (UTC)
To: internals@lists.php.net
References: <e91aa5a7-5cb6-290f-410e-3eb5c2f0b37f@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=remi@fedoraproject.org; prefer-encrypt=mutual; keydata=
 mQGiBERzWqQRBADCfPUQP2A61aPG+qaMgBUviqbT9LVE4GBXzrPXy6xorb3hXZxLuqfqAJeE
 jeO7Qdrz4PCfA5GTYvM5wrbu7SiRB4Zb8c1z02J+XAvPvMb+Y2PyrI39feJmVP6XFvwYVhnC
 crA+YH4m5boJtXCGHgOOafcrKFOGn++y08+xdGmAjwCg+wW25B+zSoY2ycOeSqKQE6gvOPcD
 /2iYedDC37aMOFJVrzaMyRDr0CULgyhyXfCWbmzfTS9irtA+P7nZUscPiVj8n4aWvQXhxdjE
 6BdSGuAsH+/DzSALGlkc0Ipo4QB8VMRzVAERN5j5nU0rDMsghpFmny2zVfvu9Mg6rE8fnkOp
 RkJJc0/Ocs/Ld12AM22vy/bwJvkWBACsgIqdBPBH74656nYl9Wpls8HjyTJhe3N5F0y2/QJh
 dJxWrSKBJKrM21gSzeg52YpTO4Gb0ZOZNoOK0rAXU0vJc7Vjcg6p/kzmfpBCSCiWz7Kv+slA
 lNrQAvKoA+tcNo8kFs40u+eu9rvr011U1v8cvQzEiIOkiTpbSE12xQn5ILQkUmVtaSBDb2xs
 ZXQgPHJlbWlAZmVkb3JhcHJvamVjdC5vcmc+iGIEExECACIFAlCBFxsCGwMGCwkIBwMCBhUI
 AgkKCwQWAgMBAh4BAheAAAoJEGFKaQUp8WoYbO8AoIhydTkTk1ks8/HZgpy9N7+4zIqCAJ0b
 jbsNp2Wq1lHG1/pWImCK2RjHsrkCDQREc1qyEAgA4R3PoMU2arDFpJVmxAX8A9DrOafZsZ6h
 ENIrMC7gbm8JlNGVxpNBJOw0QaweHjePtQxw/H4qYV/NpK6FK51DypIiaTWXwf3aXVzSKVLT
 UeXeTnkwgZsVgJDU39gZbhE56NNNaK/iBDksKMB66Df0qk8NrCTyQiHrs+uFLlQs05iTHlhf
 L2CM+8Nf80NkND+Qrqy/2kPQO8lbYPANm5CTmqfwFBOKCcYohPUPnuNmtyWUd9FPtb2Ij0YA
 EQ1QlLpP7KqsBKSjs0tuBc+RLGWnIhJn77wKEbrL/K9tIw1SK8HCNOWmDZD6wdrtNK91KVy8
 4cucJ5aw/b3Kza2O2K/2WwADBQf9GoczBM89SqRmC8r6imVc8Jt3uWNlJzXS/MYHINbhc+J3
 qM3fTaWLrLazSTowSLp9HH/+kpokF/wdAw5UaDGXpDtGJr1IBT+0Vm0rFjRj/gLDF8imA3SS
 fJhIlh/El5N8naZlxCXIFDIMKd5Ee/f+gnzn5txRAwgRIDyPJ70wTSho+/RRzKpL+8muc/CB
 eGC04+Jgzdx3tGXdKs+Re6PK7zmO/6veWtOiuivjbWFXwukfZpQNpdsH6ykmE3Ou19OnGSQj
 tUzwE9AOXfQ7jblTdQB03IXvaB6Z+gvOyE1xIzgvPaOY6Tbh7Lcp1VEYrpRZjVGr5g28CGig
 EVD2MJpGv4hJBBgRAgAJBQJEc1qyAhsMAAoJEGFKaQUp8WoYXJQAoOfJgX8+t5NGyQBIG68b
 +4+FT5bvAJ0XRgUjTzB+VDDm4SusLaL8NDU67Q==
Message-ID: <c9e6fe5a-6b93-cc55-5bd6-4f4a94b64340@fedoraproject.org>
Date: Fri, 29 Mar 2019 08:24:09 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.0
MIME-Version: 1.0
In-Reply-To: <e91aa5a7-5cb6-290f-410e-3eb5c2f0b37f@gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="yPSTg5RB1tOz3oJc8wbl4RHVqfZYeHjDX"
Subject: Re: [PHP-DEV] Updating bundled libs (specifially, oniguruma) on
 7.1/7.2
From: remi@fedoraproject.org (Remi Collet)

--yPSTg5RB1tOz3oJc8wbl4RHVqfZYeHjDX
Content-Type: multipart/mixed; boundary="Xm3A0ZRlvfF5kFPE9SnMkKJg0OdEGzZ53";
 protected-headers="v1"
From: Remi Collet <remi@fedoraproject.org>
To: internals@lists.php.net
Message-ID: <c9e6fe5a-6b93-cc55-5bd6-4f4a94b64340@fedoraproject.org>
Subject: Re: [PHP-DEV] Updating bundled libs (specifially, oniguruma) on
 7.1/7.2
References: <e91aa5a7-5cb6-290f-410e-3eb5c2f0b37f@gmail.com>
In-Reply-To: <e91aa5a7-5cb6-290f-410e-3eb5c2f0b37f@gmail.com>

--Xm3A0ZRlvfF5kFPE9SnMkKJg0OdEGzZ53
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

Le 28/03/2019 =C3=A0 22:50, Stanislav Malyshev a =C3=A9crit=C2=A0:
> Hi!
>=20
> I wonder if there's any reason not to update bundled oniguruma library
> for 7.1/7.2. 7.1 one is ancient, 7.2 one is more recent but still
> behind. There are numerous fixes, I am sure, and one functionality
> improvement that allows to implement proper stack depth limiting
> (https://github.com/php/php-src/pull/3997). Which also makes it kinda
> security-relevant, which is why I am considering 7.1 too. The risk of
> course is that there's some kind of BC break, but I haven't heard about=

> something like that. Did anybody?
> Another risk is that newer library requires some new code to handle som=
e
> of the new options, and if we plug it into old code it may expose new
> bugs (e.g. if you use some regex feature but our code can't handle it).=

> Quick scan through the release notes does not show anything like that,
> but in theory it's possible.
>=20
> Anybody has any thoughts on this?


7.1 have version 5.9.6
7.2 have version 6.3.0
7.3 have version 6.9.0 (latest is 6.9.1)
7.4 only use system library

As we encourage system library usage (default in 7.4), and if this raise
the minimal allowed version, this will create issue for 7.4

Ex
	RHEL have 5.9
	Debian have 6.1

I think we have to manage such change in a compatible way.
(feature availability tested in configure)

So, I don't think the bundled library (especially in 7.1) should be updat=
ed.

Remi


P.S. from downstream PoV, as soname is different is it possible to have
compat package for library (v5.9 uses 2, v6.1 uses 4, v6.9 uses 5)


--Xm3A0ZRlvfF5kFPE9SnMkKJg0OdEGzZ53--

--yPSTg5RB1tOz3oJc8wbl4RHVqfZYeHjDX
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iF0EARECAB0WIQRaDm9U2U1XMmnu4/9hSmkFKfFqGAUCXJ3IHAAKCRBhSmkFKfFq
GGgLAJ94FFrYyVdEoZGLGjmS4Wz//a4JlQCfdNZrFLqji4gOd4dkb4JGL61xDmc=
=IQG/
-----END PGP SIGNATURE-----

--yPSTg5RB1tOz3oJc8wbl4RHVqfZYeHjDX--