With the PEAR move to github surpassing 200 repositories, we’re seeing more contributions from folks lurking in the shadows.
In particular I’d like to highlight the efforts of meldra and Gemorroj.
With XML_Feed_Parser hosted on github, Meldra has been able to provide all of the patches that have been sitting in the wings internally back to PEAR, with no fuss.
Faced with a backwards compability requirement on Image_Barcode, Gemorroj contributed heavily to an Image_Barcode2.
Having watched these two individuals over the last few weeks provide new vigour and input to some of our underloved packages, I’d like to put a challenge out to the community.
If you have a patch we have pushed back on because of backwards compatibility concerns, talk to us about making the next significant version of that package – we’ll get the code on github and help you get what you need.
No red tape. No run around. Just a solution to your problem by creating an appropriate fork, and a new major version to avoid any BC concerns.
If you have fixes for defects or enhancements being used within your organisation – send us a pull request.
Where there isn’t source available on github yet – ask for it.
PEAR is about providing the PHP community with reusable, effective components – this has been our mission since day 1.
If there is anything we can do to make that goal happen, to assist you as an individual or company, I would strongly encourage you to let us know – we’re here to help.
Like many other projects, many components of PEAR have started a migration to github.
We have two primary organisations set up for PEAR and PEAR2.
While the existing PEAR packages will continue to use the pear.php.net distribution and bug tracking capabilities; it’s never been easier to contribute to a PEAR package – simply fork; add your changes and send us a pull request.
If your preferred packages aren’t yet on github, please feel free to drop us a line on the pear-dev mailing list.
We’ve had 60 releases since July. While most are often minor improvements or bug fixes; a number of packages really stand out.
Net_DNS2, and HTTP_Request2. Each of these packages represents the second edition of their respective APIs; each having been honed over time to a point of stability.
If you have an existing project using Net_DNS or HTTP_Request; it is highly recommended you evaluate these new stable releases.
There’s nothing quite like having your blogging system go MIA for a while to give your community an overwhelming impression that no one is home.
Thankfully; despite the radio silence between updates there’s quite a lot to talk about!
We’ve seen well put together PEPr proposals around VersionControl_Hg, Services_Libravatar; Twitter_Uploader & many more; as well as new packages like Date_Holidays_Croatia, Date_Holidays_Australia & Validate_IR.
We’ve seen new members of the community such as arash, (Validate_IR); mgocobachi (HTML_Safe, Event_Dispatcher) and pce (Config_Lite).
Most exciting from my perspective? We’ve seen an explosion in the number of PEAR channels available – at this time, we know of no less than 55 different channels, from those with one small component to those with hundreds.
This is coupled with conversations in the community; around how PHP projects can create a robust; diverse ecosystem based on some of the core concepts built into PEAR; and how PEAR itself continues on.
Speaking of the future of PEAR, Pyrus is absolutely worth a look if you are working in a PHP 5.3+ environment.
The final place I’d like to throw the spotlight on is HTML_QuickForm2. If you are a user of the original HTML_QuickForm but haven’t thought about upgrading; this is the package for you.
The API is much cleaner, there are at least 3 plugins being proposed via PEPr at the moment; and it’s a snap to extend it to render really slick HTML5 controls.
What’s the pear project been up to recently? We’ve been fairly quiet, launching pear2 and pyrus into the line up, welcoming new faces to the QA team, Jesús Espino, and getting ready to call an election for the new pear group.
In addition to that, we’ve seen releases of Net_DNS, Net_IPv4, Services_Twitter, and File_MARC (read more) to name a few.
We’ve seen a fair few of the more active members of the community go into hibernation as life gets busier, so if you’ve ever wanted to help out with PEAR; now is a great time!
Not sure how to help? There’s plenty of ways; from stomping out deprecated code, writing unit tests for bug reports / packages, proposing a package, urging your favorite project to host a pear channel, becoming a member of the QA team or even part of the PEAR group itself.
Come and join us on the pear-dev mailing list to find out more.
After the recent problems regarding the usage of PEAR channels hosted in google code SVN repositories, we are glad to announce that the problem has been fixed on both sides!
Reason for the problem was that PEAR sent HTTP “Host:” headers with the port included, i.e. “Host: pear.php.net:80”. This is completly valid according to the HTTP/1.0 specification, and it worked with all of the channels – except those from Google.
Google fixed their HTTP servers to accept Hosts with port numbers, and we at PEAR fixed the PEAR installer not to add the port to HTTP host headers. Version 1.9.1 of PEAR includes that fix.
PEAR channels hosted on google code (like the unofficial Smarty channel, unofficial Zend Framework channel and the unofficial Mediawiki channel) are currently broken.
The reason for it has been discovered in the corresponding bug report: HTTP requests containing a port number in the “Host” header field are rejected, returning a 404.
The issue is currently being investigated by Google. If you cannot wait, apply a hack-fix to your PEAR installation. Alternatively, use Pyrus, the next-gen PEAR installer.
After a quiet holiday season, the PEAR community has started rumbling again.
Digg gave PEAR a plug, new versions of Mail, Services_Facebook, System_Daemon, and HTML_Template_IT were released, the number of bugs reported dropped to less than one per package for a brief time, and two promising new proposals in PEPr arrived.
What’s even more exciting, we’ve got a continuous integration environment currently set up; discussion (and bug fixing) is turning more and more towards the future of pear, and the quiet on the mailing lists has vanished in a recent flood of posts.
Even better, we’ve seen the conceptual basis of PEAR (channel server and installer) take off with Pirum and PEARFarm being launched; and several large projects like PHPUnit, Smarty, and even Zend Framework (!) being installable via pear channels.
If this level of activity is anything to judge by, the future of PEAR looks bright for 2010!
PEAR Security Advisory (PSA 200911-14-01)
Title: PEAR Net_Ping and Net_Traceroute Remote Arbitrary Command Injection
Date: November 14, 2009
Multiple remote arbitrary command injections have been found in the Net_Ping
Net_Ping is an OS independent wrapper class for executing ping calls from PHP
Net_Traceroute is an OS independent wrapper class for executing traceroute calls from PHP
Package / Vulnerable / Unaffected
1 Net_Ping < 2.4.5 >= 2.4.5
2 Net_Traceroute < 0.21.2 >= 0.21.2
2 affected packages on all of their supported architectures.
Remote Arbitrary Command Injection
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Filter your input to make sure the commands passed are shell escaped or upgrade to the latest version of both packages.
The group recommends users of Net_Ping to upgrade to Net_Ping-2.4.5 if they haven’t already:
The group recommends users of Net_Traceroute to upgrade to Net_Traceroute-0.21.2 if they haven’t already:
Thanks to Pasquale Imperato for finding, analyzing and reporting the issue.
Be aware that the initial release of Ubuntu Karmic contains a bug that affects PHP and PEAR, whose fix came a tad too late to make the initial release. The bug is fixed, and will be included in upcoming updates from Ubuntu.
From PEAR’s perspective, the key issue relates to the zlib library. This is evident in any attempt to install or upgrade a package, since doing so involves downloading a tarball file that must be uncompressed. The bug causes some zlib functions to be unavailable to PHP, and the Archive_Tar code will silently fail due to this.
If you attempt to install or upgrade a package, it may appear to finish without error, but without a final “install ok” or “upgrade ok” message. This means the process failed. The workaround is to include the -Z argument, so that a .tar file will be downloaded rather than a .tgz file:
pear install -Z phpdocumentor