Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 611214

Summary: dev-lang/php: use production ini file unconditionally
Product: Gentoo Linux Reporter: Michael Orlitzky <mjo>
Component: Current packagesAssignee: PHP Bugs <php-bugs>
Status: RESOLVED FIXED    
Severity: normal CC: hydrapolic, whissi
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=530002
Whiteboard:
Package list:
Runtime testing required: ---

Description Michael Orlitzky gentoo-dev 2017-02-28 14:58:56 UTC 
We give our users the option of installing either the "development" or "production" ini files via the PHP_INI_VERSION variable. It defaults to the development version.

The differences between the two are:

  * error_reporting (E_ALL in dev, E_ALL & ~E_DEPRECATED & ~E_STRICT in prod)
  * display_errors (on in dev, off in prod)
  * display_startup_errors (on in dev, off in prod)
  * mysqlnd.collect_memory_statistics (on in dev, off in prod)

The display_errors setting is a tiny bit sensitive, since it can leak details about a crashed application. Keeping in mind that dev-lang/php can get pulled in as part of e.g. mail-client/roundcube, I think it would be preferable to at least install the production ini by default.

The question then is, is it worth having an environment variable dedicated to twiddling those three other settings? I think not.

Another benefit to limiting ourselves to one ini file is that it becomes easier to patch it. Right now we have some crazy sed calls in the ebuild that could be patched instead (we would use a placeholder for EPREFIX). And while we're at it, I don't like setting session.save_path = "/tmp" by default since it lets other system users hijack sessions.

This would also let us patch opcache.validate_permission easier:

  http://www.openwall.com/lists/oss-security/2017/02/27/4
Comment 1 Michael Orlitzky gentoo-dev 2017-03-21 19:33:41 UTC 
commit eb52e5fc00c55bb18c93beca65e3bf97a1f7ad45
Author: Michael Orlitzky <mjo@gentoo.org>
Date:   Tue Mar 21 13:50:27 2017 -0400

    dev-lang/php: new revisions to phase out PHP_INI_VERSION.

    These three new revisions install the "production" version of php.ini
    unconditionally. The changes between the two versions are minimal
    anway, and the production version is safer for people who don't care.

    A warning will be emitted for users who still have the variable set.

    In addition, the 5.6 and 7.0 series will now cache their ./configure
    test results. This is based on a similar change made in 7.1, and
    should speed up the build a little.

    Gentoo-Bug: 530002
    Gentoo-Bug: 611214

    Package-Manager: Portage-2.3.3, Repoman-2.3.1