On Mon, Sep 17, 2018 at 3:16 PM Christoph M. Becker <cmbecke...@gmx.de> wrote:
> Hi! > > We bundle an unmodified libsqlite3 for at least two years. Since then > all updates go into any dev, alpha and beta releases, while security > patches (usually backports from libsqlite3) go into stable branches. > > ext/sqlite3 requires libsqlite ≥ 3.3.9[1] which has been released on > 2007-01-04[2] (i.e. more than eleven years ago!). ext/pdo_sqlite has no > specific version requirement; there is a check for sqlite3_open()[3] > which I believe is available since 3.0.0. > > So is there any particular reason why we still bundle libsqlite3? > > [1] > < > https://github.com/php/php-src/blob/php-7.3.0RC1/ext/sqlite3/config0.m4#L37-L47 > > > [2] <https://sqlite.org/oldnews.html#2007_01_04> > [3] > < > https://github.com/php/php-src/blob/php-7.3.0RC1/ext/pdo_sqlite/config.m4#L55-L58 > > > +1 on unbundling libsqlite. If we a) don't patch a library and b) it is widely available in distros, then we have no business bundling the library. Bundled libraries are extra maintenance work for us and a security risk for users (we are slower at updating bundled libraries than distros). Three more libraries that we (as far as I know) bundle without modification are: * libzip: Unbundling was already planned for 7.3 but held up due to some CI issues. Next try at https://github.com/php/php-src/pull/3532. * oniguruma * pcre I'm not sure how widely available libonig and libpcre2 are. Nikita