[Bug 1547700] [NEW] [MIR] xmlrpc-epi

Nish Aravamudan nish.aravamudan at canonical.com
Fri Feb 19 22:33:13 UTC 2016 

Public bug reported:

[Availability]

Available in universe in all currently supported releases.

[Rationale]

src:php7.0 is currently patched to not build php-xmlrpc due to
component-mismatch. Previously, php5-xmlrpc was in main and built from
src:php5. The PHP 5 version of the xmlrpc extension did not have a build
dependency on xmlrpc-epi, but Debian's PHP 7.0 has added it. End-users
will expect to find, generally, the same extensions available in Xenial
as on Trusty (accounting for the version change) in the same components.

[Security]

php7.0 has been promoted to main, and php7.0-xmlrpc re-enablement would
result in that package also being in main. php-xmlrpc is included with
and supported as part of the core PHP release in all currently supported
versions. It therefore has security support from the core PHP team. It
also has security support from upstream Debian.

xmlrpc-epi itself shows no results from CVEs or NVD. There is one
mention of a php-xmlrpc CVE that may be relevant: http://cve.mitre.org
/cgi-bin/cvename.cgi?name=CVE-2014-8626, but it only affects older
version of PHP.

The xmlrpc-epi package does not install any executables or services.

[Quality assurance]

There is nothing to start upon installation of xmlrpc-epi. The binary
packages produced provide shared libraries.

There are no debconf questions asked during installation.

Upstream xlmrpc-epi bugs: https://sourceforge.net/p/xmlrpc-epi/bugs
 - None seem significant.
Debian bugs: https://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=xmlrpc-epi
 - The only bug affects mips only.
Ubuntu bugs: https://launchpad.net/ubuntu/+source/xmlrpc-epi/+bugs
 - No bugs found.

In Debian, there are a few lintian errors, but it is otherwise clean
(https://packages.qa.debian.org/x/xmlrpc-epi.html).

This xmlrpc-epi package does not deal with hardware.

The xmlrpc-epi package does not ship a test suite.

The xmlrpc-epi package has a debian/watch file, although PTS indicates
it might be invalid currently.

[Dependencies]

All build and binary dependencies are satisfiable in main.

[Standards compliance]

The current package meets Debian Policy 3.9.2 (current is 3.9.6).

[Maintenance]

The php7.0 source package is already maintained by Ubuntu Developers,
who are responsible for providing security updates for several other
binary packages from php7.0 source. Bugs and security issues that affect
php-xmlrpc will typically affect core as well and require updates.
Security issues which affect xmlrpc-epi are rare so the extra workload
required should hopefully be minimal.

[Background information]

To be clear, php5-xmlrpc was in main before we demoted php5 to universe
(with the intention of removing it from the archive). It makes sense to
keep php7.0-xmlrpc in main, correspondingly, and this is the only build
dependency needed to do so.

** Affects: php7.0 (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: xmlrpc-epi (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: php7.0 (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to php7.0 in Ubuntu.
https://bugs.launchpad.net/bugs/1547700

Title:
  [MIR] xmlrpc-epi

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1547700/+subscriptions

More information about the Ubuntu-server-bugs mailing list