Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#15482 - [php] Package Should be Renamed to Suhosin Due to Licensing Conflict

Attached to Project: Arch Linux
Opened by Nicholas Sloan (slango) - Saturday, 11 July 2009, 17:05 GMT
Last edited by Pierre Schmitz (Pierre) - Saturday, 05 September 2009, 12:00 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Very Low
Priority Low
Reported Version
Due in Version Undecided
Due Date 2009-08-31
Percent Complete 100%
Votes 2
Private No

Details

We are all aware of the Firefox/Ice Weasel/Gran Paradiso issue. There is a similar issue regarding PHP, and we are presently violating the terms of the PHP license.

The Suhosin patch is not an official part of the PHP project. While one can certainly argue the benefits of it, the developer behind the Suhosin patch refuses to commit his work to the PHP source. Patching PHP with the Suhosin patch thereby constitutes a derivative work, and the PHP license states that any derivative work cannot use the PHP name. This is in fact WHY the Suhosin patch is called the Suhosin patch.

By packaging the PHP source with the Suhosin patch and calling the resultant package php, we are violating the PHP license. If the Suhosin patch is to be applied, it should be done so in a separate package called Suhosin. I would suggest that a vanilla PHP package be made available for those who want an official PHP.

I have been told by core developers that anyone wishing to discuss this matter further should contact group@php.net.
This task depends upon

Closed by  Pierre Schmitz (Pierre)
Saturday, 05 September 2009, 12:00 GMT
Reason for closing:  No response
Additional comments about closing:  no response from upstream about this
Comment by Pierre Schmitz (Pierre) - Saturday, 11 July 2009, 17:44 GMT
Is this your own interpretation of the license or are you talking on behalf of the PHP group? The term "derived work" is not that clear. But I think we might be fine here as other distros also patch PHP and ship it with that name. Of course we all could still be wrong; if that's the case I would prefer an official statement from PHP, so we can remove it from our repo.

Btw: Our firefox package is still called firefox. (the package and the binary)
Comment by Nicholas Sloan (slango) - Saturday, 11 July 2009, 18:23 GMT
One of the core developers mentioned this to me in an offhand remark ("Well if they're patching it with Suhosin, then it isn't PHP, per the license.") which made me think to mention it to you. He mentioned that the reason the Suhosin patch was changed in name from Hardened PHP to Suhosin was for that exact reason. I started to inquire further on the matter, and he said that I should refer you to group@php.net, which is the official source to consult in regard to these types of issues. There is a good chance that they might let it slide, but they should at least be consulted out of respect for their work.

Thanks for looking into this and taking this seriously. Arch is a respectable distribution, and I think that respecting licenses must be paramount in our efforts. I'm glad that you're giving this issue it's due diligence.
Comment by Pierre Schmitz (Pierre) - Saturday, 11 July 2009, 18:38 GMT
I will contact them and ask if we are allowed to distribute it as we like.
Comment by Jan de Groot (JGC) - Saturday, 11 July 2009, 20:19 GMT
Debian calls the package php5, but they have this in the description:
"This version of PHP5 was built with the Suhosin patch."
Comment by Pierre Schmitz (Pierre) - Saturday, 11 July 2009, 20:28 GMT
Yes, afaik at least Debian, Suse, Mandriva, Gentoo and FreeBSD ship it that way.
Comment by Pierre Schmitz (Pierre) - Monday, 20 July 2009, 17:24 GMT
  • Field changed: Priority (Normal → Low)
  • Field changed: Due Date (Undecided → 2009-08-31)
  • Field changed: Severity (Medium → Very Low)
No response yet; will wait till end of August and close the report then.

Loading...