Gentoo's PHP package is currently not using the system's libcrypt (at least with glibc systems) for the crypt() password hashing function. libcrypt is provided by libxcrypt on modern systems. The trend appears to be to move to yescrypt for modern crypt-type hashes, which PHP's internal crypt function does not support. It would therefore be desirable to support using an external libcrypt aka libxcrypt. The configure script has a switch --with-external-libcrypt which the current ebuild does not use. However, it still has a dependency on virtual/libcrypt. It appears this dependency was added due to bug #908674 - which implies on musl-systems php automatically uses the system's libxcrypt. (I have no musl system at hand to test this.) On my glibc system I can say that php does not link against libcrypt. I'm not sure if --with-external-libcrypt is stable enough to support unconditionally, or if it'd be better to have it behind a use flag. But it'd be good to support it in some way.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3f3dcbee1d366757fc869fa365717a7d31bae7c1 commit 3f3dcbee1d366757fc869fa365717a7d31bae7c1 Author: Michael Orlitzky <mjo@gentoo.org> AuthorDate: 2023-12-08 13:42:33 +0000 Commit: Michael Orlitzky <mjo@gentoo.org> CommitDate: 2023-12-08 13:46:42 +0000 dev-lang/php: always use the system libcrypt Unbundling things has inherent value, but this in particular should lead to better security. Thanks to hanno for noticing that it wasn't default! The removal of --enable-ipv6 is unrelated and should be a no-op since we append $(use_enable ipv6) to our econf args later on. Closes: https://bugs.gentoo.org/919439 Signed-off-by: Michael Orlitzky <mjo@gentoo.org> dev-lang/php/{php-8.2.13.ebuild => php-8.2.13-r1.ebuild} | 2 +- dev-lang/php/{php-8.3.0.ebuild => php-8.3.0-r1.ebuild} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
(In reply to Hanno Böck from comment #0) > > I'm not sure if --with-external-libcrypt is stable enough to support > unconditionally, or if it'd be better to have it behind a use flag. Tests pass. YOLO.