Is there some way to get some movement on making this change? mod_php has been discouraged for well over a decade by the PHP project developers. It has security implications (applications run as www-data instead of a less privileged user), it has a performance and memory-usage cost, and increased attack surface, even if the user isn't using it to run PHP applications (it is loaded by default by configuration in /etc/apache2/mods-enabled/php8.2.load when installed). There's no reason to ever prefer mod_php, so the default here is guiding users in a bad direction on multiple fronts (security, performance, and memory usage).
Installing mod_php also prevents configuring http2 in Apache, because it depends on mpm_prefork. Upstream recommends FPM and strongly discourages mod_php, so the package should prefer FPM. Merely changing the order of dependencies to put fpm first, would resolve this problem. Is there anything blocking this change, or has it just not gotten the attention of the right folks? On Mon, 19 Apr 2021 15:43:32 -0600 Jesse Rhodes <je...@sney.ca> wrote: > Source: php-defaults > Severity: wishlist > X-Debbugs-Cc: je...@sney.ca > > Dear Maintainer, > > The top-level versioned php metapackage (php7.4 at the time of writing) has the following Depends field: > > Depends: libapache2-mod-php7.4 | php7.4-fpm | php7.4-cgi, php7.4-common > > Thus, a user who runs 'apt install php' will get libapache2-mod-php7.4, along with apache2 itself. > > Apache upstream considers prefork to be specific to "sites requiring stability or compatibility with older software"[1]. And in the modern era, best practices for hosting websites with dynamic content include using either a threaded MPM in apache, or a different httpd such as nginx. > > Because of this, it seems that libapache2-mod-php is no longer a sane default when installing php. It makes sense to keep it available, both for the legacy reasons cited above and for environments like a low traffic application that requires apache features, but it should not be the first choice of sapi to install. > > Please consider making this change. > > Thanks, > > Jesse (sney) > > [1] https://httpd.apache.org/docs/2.4/en/mpm.html > > -- System Information: > Debian Release: bullseye/sid > APT prefers testing > APT policy: (990, 'testing'), (500, 'testing-security'), (500, 'unstable'), (1, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE > Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > >
