Page MenuHomePhabricator

php-luasandbox in Wikimedia's Stretch apt repo depends on php5
Closed, ResolvedPublic


$ apt-cache show php-luasandbox
Package: php-luasandbox
Version: 2.0.14~stretch1
Architecture: amd64
Maintainer: Tim Starling <>
Installed-Size: 105
Depends: php5 | php5-cli, libc6 (>= 2.14), liblua5.1-0, phpapi-
Priority: optional
Section: web
Filename: pool/main/p/php-luasandbox/php-luasandbox_2.0.14~stretch1_amd64.deb
Size: 31130
SHA256: 3ad539fb71e2fb815d5cc658b1ab3a1ecdfa485e68312996d26f18b623fdbd63
SHA1: a34c33b197cd9d1dd5d0d295a2c81b9e3d060a53
MD5sum: 647c8e460583f2c651076805e6b70a7a
Description: Lua extension for PHP
 A PHP extension providing a sandboxed Lua environment which can be used to run
 untrusted code.
Description-md5: 79a1e52ec140a8c622026655cfd16712

Stretch does not include php5 packages, so this is uninstallable. It looks like the package was built for Stretch to provide hhvm-luasandbox and was not updated to correctly build the Zend package.

For MediaWiki-Vagrant, a workaround is to use the php-luasandbox package from stretch-backports via pinning. This probably isn't the best long term solution though as the proper package will eventually be needed for Wikimedia production. Unless of course we are going to drop our local package in favor of the upstream package maintained by @Legoktm.

Event Timeline

bd808 created this task.Jan 2 2018, 7:02 AM
bd808 triaged this task as Normal priority.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 2 2018, 7:02 AM

The packaging was probably based on the PHP5 version, since it also depends upon a non-existent phpapi- package, because the php5-config call probably failed during build.

Once we no longer need to have a separate hhvm-luasandbox package, it would be best if we could unify the Debian and Wikimedia packaging efforts. :-)

Change 401668 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/vagrant@stretch-migration] scribunto: install luasandbox from stretch-backports

Change 401668 merged by jenkins-bot:
[mediawiki/vagrant@stretch-migration] scribunto: install luasandbox from stretch-backports

I've uploaded a backport of Kunal's 1.5.1-3 package from Debian testing to stretch-backports. The packages in Debian only support Zend PHP (since Debian doesn't feature more in depth integration of HHVM in the wider module eco system), but we still need hhvm-wikidiff2, so I'll update the internal source package to only build the hhvm-wikidiff2 binary package. (And when we've migrated to PHP7 we can remove the internal package entirely)

MoritzMuehlenhoff closed this task as Resolved.Feb 2 2018, 12:14 PM
MoritzMuehlenhoff claimed this task.

Our internal wikidiff2 package has been rebuilt to only provide the hhvm-wikdiff2 package now (and after some fiddling with reprepro I removed the old php-wikidiff2 from

As such, stretch now has 1.4.1-1 and stretch-backports has 1.5.1-3~bpo9+1.

@bd808: For mediawiki-vagrant I'd recommend to add a patch for php-wikidiff2 similar to, ideally mediawiki-vagrant should also use 1.5.1 from backports as we do in production. Our production manifests are in progress of moving to it via

Our internal php-luasandbox package has been rebuilt to only provide the hhvm-luasandbox package (that's kind of confusing given the source package name, but it's only temporary given our migration to PHP 7).

(The old php-wikidiff2 binary package was removed from, you can't explicity only remove a binary package, so I had to re-import the dsc after "reprepro remove stretch-wikimedia php-luasandbox")

Change 424508 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[mediawiki/vagrant@master] Install wikidiff2 from stretch-backports

Change 424508 merged by jenkins-bot:
[mediawiki/vagrant@master] Install wikidiff2 from stretch-backports