Hi, > -----Original Message----- > From: Nikita Popov <nikita....@gmail.com> > Sent: Monday, September 17, 2018 7:07 PM > To: Christoph Becker <cmbecke...@gmx.de> > Cc: PHP internals <internals@lists.php.net> > Subject: Re: [PHP-DEV] Unbundle libsqlite3? > > On Mon, Sep 17, 2018 at 3:16 PM Christoph M. Becker <cmbecke...@gmx.de> > wrote: > > > Hi! > > > > We bundle an unmodified libsqlite3 for at least two years. Since then > > all updates go into any dev, alpha and beta releases, while security > > patches (usually backports from libsqlite3) go into stable branches. > > > > ext/sqlite3 requires libsqlite ≥ 3.3.9[1] which has been released on > > 2007-01-04[2] (i.e. more than eleven years ago!). ext/pdo_sqlite has > > no specific version requirement; there is a check for > > sqlite3_open()[3] which I believe is available since 3.0.0. > > > > So is there any particular reason why we still bundle libsqlite3? > > > > [1] > > < > > https://github.com/php/php-src/blob/php-7.3.0RC1/ext/sqlite3/config0.m > > 4#L37-L47 > > > > > [2] <https://sqlite.org/oldnews.html#2007_01_04> > > [3] > > < > > https://github.com/php/php-src/blob/php-7.3.0RC1/ext/pdo_sqlite/config > > .m4#L55-L58 > > > > > > > +1 on unbundling libsqlite. If we a) don't patch a library and b) it is > widely available in distros, then we have no business bundling the library. > Bundled libraries are extra maintenance work for us and a security risk for > users > (we are slower at updating bundled libraries than distros). > > Three more libraries that we (as far as I know) bundle without modification > are: > * libzip: Unbundling was already planned for 7.3 but held up due to some CI > issues. Next try at https://github.com/php/php-src/pull/3532. > * oniguruma > * pcre > > I'm not sure how widely available libonig and libpcre2 are. > For SQLite3 it should be fine.
For PCRE2 - a case we require the bundled lib badly is for debugging and Valgrind integration for JIT. Sure some debug symbols can be available from a distribution, but I never tried it that way and it might differ from one Linux to another especially regarding Valgrind. Non-Linux environments like BSD based are even not to mention. An alternative to the distribution supplied builds might be to always have custom Valgrind enabled builds of libpcre2 just for the PHP development, whereby different versions might collide with some system provided libraries. IMO it is more convenient for us to keep the bundled PCRE libs for this reasons. Some libonig versions seem to be available on even old stable Debian and current Fedora, but further targets need to be investigated. Windows builds for all these should be doable. I'd need to check closer for PCRE2 and Oniguruma, but SQLite3 is for sure good. Regards Anatol
