Page MenuHomePhabricator

Approve https://packages.sury.org/php/ as an acceptable Debian package source for Toolforge
Closed, DeclinedPublic

Description

I'm requesting that packages.sury.org/php be added to the approved list of repositories for Toolforge on https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin#Local_package_policy.

packages.sury.org is a third-party repository of PHP packages, maintained by the same person who maintains them in Debian proper, so they're the exact same quality, and use the same packaging as well.

Using this repository was endorsed by the ops list when CI needed PHP 7.0+ packages, and is still used by CI today. Originally the idea was to use the thirdparty/php72 component (which is importing debs from packages.sury.org!), but that has a few drawbacks. Notably, that section was intended for use by Phabricator, and is missing other packages that we need (c.f. T200666). I think it'll be much easier going forwards if we can just use packages.sury.org directly.

Potential concerns:

  • Freedom: All of the packages in the PHP section that we'd use are free software
  • Privacy: Users would never interact with this service directly, we'd only call it during the image building process
  • Security: The apt repo is over HTTPS, and we'd verify all packages using GPG. The maintainer of the repo would theoretically have root access to the docker images, but given that they're also the Debian maintainer, realistically they already have it that way.

Event Timeline

Legoktm created this task.Aug 17 2018, 6:27 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 17 2018, 6:27 PM
Legoktm updated the task description. (Show Details)Aug 17 2018, 9:24 PM

I think this is fine. It's not 100% obvious to me what we need to do to implement this; is it just editing a line on a wiki?

I think our preference would be to import these packages into our repo rather than point at the external repo. Arturo will follow up.

Andrew assigned this task to aborrero.Aug 21 2018, 3:32 PM
aborrero triaged this task as Normal priority.Aug 21 2018, 4:19 PM
aborrero updated the task description. (Show Details)Aug 21 2018, 4:46 PM

I think this is fine. It's not 100% obvious to me what we need to do to implement this; is it just editing a line on a wiki?

Basically yeah. Since this is a departure from the current Toolforge package policy, I wanted the Cloud Services team to sign-off on it first.

And if/when approved, I was going to update the php72 docker images to start using the repository.

hey @MoritzMuehlenhoff do you see any problem in importing all of the php/ repo into our apt.wikimedia.org repo?

I don't think we should use external repos directly, these packages are already in thirdparty/php72 (and this repo is also available if sury.org vanished off the net/is down/whatever), so I don't see what problem this solves.

Aklapper renamed this task from Approve https://packages.sury.org/php/ as an accptable Debian package source for Toolforge to Approve https://packages.sury.org/php/ as an acceptable Debian package source for Toolforge.Aug 22 2018, 9:10 AM
Legoktm closed this task as Declined.Aug 24 2018, 6:14 AM

Fair enough.