Hi! > During the discussion of PR 3080[1] the idea to replace our bundled > libgd with an (unmodified) upstream libgd[2] has come up again. It > seems this issue deserves its own discussion, and probably an RFC.
I think this is a good idea. In general, as open source ecosystem matures (and more and more people move to use established OSS vendors or non-OSS vendors well-integrated into OSS system, like macOS/homebrew setups) most people move to use distributions which supply wide array of libraries usually covering ones that we used to bundle, and often doing better job in keeping with updates and security fixes than we can. So in general I think phasing out bundling, unless absolutely necessary, is the idea whose time has come. > bundled libgd)[5]. Another important difference is that our bundled > libgd uses ZendMM, but upstream libgd does not[6]. This one we need to find a solution for. GD is often exposed to the unfiltered user input, has a potential to consume large amounts of memory and not having ZendMM memory limits in place can be a serious issue. > For most Linux environments PHP is built with an upstream (system) > libgd; on Windows usually the bundled libgd is used. Users targeting Windows is another concern - are there viable solutions for non-bundled GD for Windows that we can recommend to the users? If not, that means we still have to keep and maintain bundled GD, and if so, there's no point to spend any time on un-bundling before we find solution to this. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php