News Feed
Sections




News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Ben Ramsey:
Composer Missing Distributions for Explicit References
June 18, 2015 @ 10:14:31

Ben Ramsey has shared an interesting issue he's come across when installing packages via Composer where it installed a different version than expected when he ran an install. The problem turned out to be from an unexpected place.

For applications I control that are not distributed to the public, I like to hard-lock my Composer dependencies to a specific version. [...] Sometimes a library has updates that haven't yet been released, and I need to use these right away. Composer allows me to specify the specific commit I want to use for a library. In this way, I can hard-lock a dependency to a specific state, even when there is not yet a release for the changes I need. This has worked well until today, when I tried to do a fresh composer install. After installing, one library contained files and methods that I did not expect. It turns out Composer was grabbing the HEAD of dev-master instead of the specific commit I referenced.

After some investigation into his "composer.lock" file's contents, he found the issue: a problem with the way that BitBucket handles the distribution zip files Composer requests. In his example, the zip file was of the HEAD on the repository, not of the specific commit (GitHub doesn't have this problem). His solution was using the (slower) "--prefer-source" option to grab the correct commit contents...not an ideal solution but it does what he needs.

0 comments voice your opinion now!
composer missing distribution zip file explicit reference bitbucket

Link: http://benramsey.com/blog/2015/06/composer-missing-distributions/

Pádraic Brady:
Securely Distributing PHARs Pitfalls and Solutions
March 04, 2015 @ 11:46:10

Pádraic Brady has a new article on his site talking about the secure distribution of phars (PHP archive files) including some of the common pitfalls and potential solutions.

The PHAR ecosystem has become a separate distribution mechanism for PHP code, distinct from what we usually consider PHP packages via PEAR and Composer. However, they still suffer from all of the same problems, namely the persisting whiff of security weaknesses in how their distribution is designed. [...] [Several security-related issues introduce an element of risk that the code you receive is not actually the code the author intended to distribute, i.e. it may decide to go do some crazy things that spell bad news when executed.

He shares some of the steps he's taken to secure his own phar for a CLI application with things like:

  • Distribute the PHAR over HTTPS
  • Enforce TLS verification
  • Sign your PHAR with a private key
  • Avoid PHAR Installer scripts
  • Manage Self-Updates securely

He finishes the post with one of the most important parts of the article - a reminder to do all of the things on the list above consistently.

This is not an outrageous outcome to introducing proper security on PHAR downloads. Go forth and do it for all PHARs. Help create an environment where distributing and installing code in secure ways is the normal expected thing to do.
0 comments voice your opinion now!
secure distribution phar solution tls https privatekey installer selfupdates

Link: http://blog.astrumfutura.com/2015/03/securely-distributing-phars-pitfalls-and-solutions/

Community News:
Default JSON Support Licensing Issues in PHP
August 21, 2013 @ 11:13:57

Despite the misleading title, this post on Reddit talks some about a switch that some Linux distributions are making when it comes to JSON support in PHP. They're moving away from the built-in support in favor of including this one.

In a quote from Nikita Popov (a comment on the post) he notes that:

It is true that some Linux distribution switched from json to json-c, but this should be transparent to the user. The standard PHP distribution still ships the JSON extension as it always did. [...] You should all take this chance to switch to PHP 5.5, so you can see that everything works fine and that PHP 5.5 is awesome

He also includes comments from the Remi (Fedora) project about the switch, noting that the end user shouldn't notice any kind of issues. The reasoning behind the switch has to do with licensing and usage issues of the previously built-in extension. You can find out more about that issue in this bug report.

0 comments voice your opinion now!
json extension license pecl jsonc distribution linux

Link: http://www.reddit.com/r/PHP/comments/1ksnzw/php_json_removed_in_php_55

Lorna Mitchell:
PHP Version Adoption
June 04, 2013 @ 10:15:58

In this new post to her blog Lorna Mitchell takes a look at some of the current statistics around PHP version adoption - all the way from the ancient 5.0 through the shiny new (upcoming) 5.5 releases.

PHP runs over 75% of all websites whose technologies are known (source: w3techs), which makes for a really REALLY long tail of users who once installed wordpress, phpmyadmin, or some other open source project that helped their business needs at the time. What they don't do is upgrade. PHP's current usage statistics look like this (source and raw numbers are if you want them):

She points out that around half of the results show that sites are running on unsupported versions of PHP (<=5.2) but notes that it's not always their choice. There's lots of factors that play into upgrading these versions that are not always in the user's control (like the speed of distro updates). She covers some of the things that came around in the newer versions of PHP 5.2 and 5.3 including some large performance jumps, especially in 5.4.

In truth, the future is already here for those people on PHP 5.4 and beyond. Keeping PHP upgraded is just part of our regular maintenance workflow, and the language is progressing in regular and manageable steps. If you've been left behind then I strongly recommend that you start making plans for upgrading your platform, or moving to a newer one.
0 comments voice your opinion now!
version adoption php52 php53 hosting distribution graph

Link: http://www.lornajane.net/posts/2013/php-version-adoption

Ilia Alshanetsky's Blog:
Domain Distribution by City
December 22, 2010 @ 13:56:17

Ilia Alshanetsky has posted the next set of results from his domains-running-PHP research he's been doing. In this latest post he looks at the domain distribution by city mostly falling in the US, Europe and China.

I am making available two additional geographic chats that breakdown the domain distribution by top world cities. The first chart a preview of which can been below (click to see full, browse-able/zoomable version) shows the Top 150 cities, by domain distribution. These cities represent a total 91.3% of some 102 million domains that could be resolved to a city level.

The top ranking city falls in the US in Scottsdale, Arizona (because of the large domain provider GoDaddy being based there) with the second place spot going to San Francisco, California. He's created both a interactive map you can use to see the numbers for different parts of the world and a concentration view of the same results making it a bit easier to digest.

0 comments voice your opinion now!
domain distribution city statistics godaddy


Stuart Herbert's Blog:
Researching Distro-Specific PHP Problems
May 15, 2009 @ 08:46:44

Stuart Herbert is looking for some more input on a different sort of question (one that I can't say I've seen asked before) - what are some of the issues with default Linux distribution PHP installs.

Most Linux distributions ship with packages for PHP, but not everyone is happy with these packages. If you're not happy with the PHP packages for a specific Linux distro (no matter how obscure), I'd love to hear what you think the problems are and (if possible) what the correct solution should be.

Just leave a comment on the post with the things you might have noticed. Comments already made reference issues in Debian/Ubuntu, RedHat and a few other more general "state of PHP packages" comments too.

0 comments voice your opinion now!
research problem package linux distribution


Derick Rethans' Blog:
Distributions Please Don't Cripple PHP or Red Hat Stop Fucking Around
February 04, 2009 @ 16:11:11

Derick Rethans has a few choice words for those developing PHP packages for linux distributions out there - don't cripple PHP. His example deals specifically with RedHat and their choices on timezone management.

Red Hat thought it'd be wise to create a patch to use the system provided timezone database instead. We (the PHP development team) thought that to be a bad idea because of several reasons. Among them is that it removes control from PHP's users about which database is, decreased performance, and some missing functionality

He mentions other problems - other issues related to timezone support - that caused them to not accept RedHat's patch to try to "fix" things by disabling the bundled timezone database. He looks at why this is such a bad thing, why it can cause trouble with PHP's date handling and what the future holds for this database support (hint: PHP 5.3 will shake things up).

1 comment voice your opinion now!
redhat distribution package datetime support database disable


Andi Gutmans' Blog:
Zend Framework to be part of Ubuntu!
February 29, 2008 @ 11:11:59

Andi Gutmans has some great news for Ubuntu users - the Zend Framework will be included in a future version of the linux distribution (Hardy Heron, Ubntu 8).

We are very proud to be an integral part of the Ubuntu distribution going forward. This is an important step towards making Zend Framework accessible to a broader audience and by working closely with the MOTUs we are able to ensure a positive end-user experience.

Andi also points out some of the stats from the framework's life so far: 4M downloads of Zend Framework, 500K of them unique and only growing stronger.

0 comments voice your opinion now!
zendframework linux distribution ubuntu bundle included


Secunia.com:
Ubuntu Update for PHP
May 23, 2007 @ 12:03:00

In this new advisory posted on the Secunia.com site today, there's an announcement of a highly critical update for Ubuntu users for their PHP distributions.

Ubuntu has issued an update for php. This fixes some vulnerabilities, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions and potentially by malicious people to compromise a vulnerable system.

Check out the posting to grab the links for the packages for the various distributions (and for the different version numbers of Ubuntu). As this issue is marked as "highly critical" it's recommended that you update your installation as soon as possible.

0 comments voice your opinion now!
ubuntu distribution update package secunia ubuntu distribution update package secunia


Nexen.net:
English Articles and a Single Distribution Resource
January 22, 2007 @ 17:29:00

Damien Seguy (maintainer of the French PHP site, Nexen.net) has passed along two new helpful links for those checking out the site - one specifically for the English-speaking audience out there and the other an effort to consolidate the distributions out there.

Two pieces of news for you - I have set up a page which collect all English articles on Nexen.net. http://www.nexen.net/the_english_speaking_nexen.net.php That's not much, but it will help non-French speaking readers.

I collected the list of PHP and MySQL distributions. Nowadays, there are way too many sources for those too technologies to be downloaded from: official version, snaps, installers, source, binaries, source control...So I made a list of them, and they are now in one place to be found.

The "one place" is this page on Nexen.net gives the latest on PHP, MySQL, and the packages that combine them for an easier install.

0 comments voice your opinion now!
english article list distribution resource download english article list distribution resource download



Community Events

Don't see your event here?
Let us know!


laravel introduction podcast php7 opinion project series application community api example list symfony language yii2 framework interview composer configure part2

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework