Change Details

I'm requesting that packages.sury.org/php be added to the approved list of repositories for Toolforge on <https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin#Local_package_policy>. packages.sury.org is a third-party repository of PHP packages, maintained by the same person who maintains them in Debian proper, so they're the exact same quality, and use the same packaging as well. Using this repository was endorsed by the ops list when CI needed PHP 7.0+ packages, and is still used by CI today. Originally the idea was to use the [[https://tools.wmflabs.org/apt-browser/stretch-wikimedia/thirdparty/php72/|thirdparty/php72]] component (which is importing debs from packages.sury.org!), but that has a few drawbacks. Notably, that section was intended for use by Phabricator, and is missing other packages that we need (c.f. T200666). I think it'll be much easier going forwards if we can just use packages.sury.org directly. Potential concerns: * Freedom: All of the packages in the PHP section that we'd use are free software * Privacy: Users would never interact with this service directly, we'd only call it during the image building process * Security: The apt repo is over HTTPS, and we'd verify all packages using GPG. The maintainer of the repo would theoretically have root access to the docker images, but given that they're also the Debian maintainer, realistically they already have it that way.

I'm requesting that `packages.sury.org/php` be added to the approved list of repositories for Toolforge on <https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin#Local_package_policy>. packages.sury.org is a third-party repository of PHP packages, maintained by the same person who maintains them in Debian proper, so they're the exact same quality, and use the same packaging as well. Using this repository was endorsed by the ops list when CI needed PHP 7.0+ packages, and is still used by CI today. Originally the idea was to use the [[https://tools.wmflabs.org/apt-browser/stretch-wikimedia/thirdparty/php72/|thirdparty/php72]] component (which is importing debs from packages.sury.org!), but that has a few drawbacks. Notably, that section was intended for use by Phabricator, and is missing other packages that we need (c.f. T200666). I think it'll be much easier going forwards if we can just use packages.sury.org directly. Potential concerns: * Freedom: All of the packages in the PHP section that we'd use are free software * Privacy: Users would never interact with this service directly, we'd only call it during the image building process * Security: The apt repo is over HTTPS, and we'd verify all packages using GPG. The maintainer of the repo would theoretically have root access to the docker images, but given that they're also the Debian maintainer, realistically they already have it that way.

I'm requesting that `packages.sury.org/php` be added to the approved list of repositories for Toolforge on <https://wikitech.wikimedia.org/wiki/Portal:Toolforge/Admin#Local_package_policy>. packages.sury.org is a third-party repository of PHP packages, maintained by the same person who maintains them in Debian proper, so they're the exact same quality, and use the same packaging as well. Using this repository was endorsed by the ops list when CI needed PHP 7.0+ packages, and is still used by CI today. Originally the idea was to use the [[https://tools.wmflabs.org/apt-browser/stretch-wikimedia/thirdparty/php72/|thirdparty/php72]] component (which is importing debs from packages.sury.org!), but that has a few drawbacks. Notably, that section was intended for use by Phabricator, and is missing other packages that we need (c.f. T200666). I think it'll be much easier going forwards if we can just use packages.sury.org directly. Potential concerns: * Freedom: All of the packages in the PHP section that we'd use are free software * Privacy: Users would never interact with this service directly, we'd only call it during the image building process * Security: The apt repo is over HTTPS, and we'd verify all packages using GPG. The maintainer of the repo would theoretically have root access to the docker images, but given that they're also the Debian maintainer, realistically they already have it that way.