[MIR] php-xmlrpc

Bug #1956345 reported by Christian Ehrhardt 
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php-xmlrpc (Ubuntu)
Fix Released
Undecided
Bryce Harrington

Bug Description

This isn't a real new MIR.
php-xmlrpc was in main as long as most history goes:

 php-xmlrpc | 1:7.0+35ubuntu6 | xenial | all
 php-xmlrpc | 1:7.0+35ubuntu6.1 | xenial-updates | all
 php-xmlrpc | 1:7.2+60ubuntu1 | bionic | all
 php-xmlrpc | 2:7.4+75 | focal | all
 php-xmlrpc | 2:7.4+76ubuntu1 | hirsute | all
 php-xmlrpc | 3:1.0.0~rc3-2 | jammy/universe | source, amd64, arm64, armhf, ppc64el, riscv64, s390x

It used to be part of src:php and now got separated into its own src:php-xmlrpc.
That made it to be a new package as synced in from Debian, but it still is seeded directly since:
  https://git.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/commit/?id=c6689632

This is the same content as before, just in a separate source package.
I'm adding the server team subscription, but IMHO other than that the content didn't change and it could be promoted - opinions?

Tags: jammy

Related branches

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This also let drop xmlrpc-epi out of main, see bug 1547700.
Once this one here is approved, both have to be promoted (again).

Changed in php-xmlrpc (Ubuntu):
status: Incomplete → New
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

@Bryce - while it seems this is "just a split" it also appears to be unmaintained [1] on this page. What is the path forward here, is there an alternative or is this no more needed, should we consider keeping it in universe (removing it from the seeds)?

[1]: https://pecl.php.net/package/xmlrpc

Changed in php-xmlrpc (Ubuntu):
assignee: nobody → Bryce Harrington (bryce)
status: New → Incomplete
Revision history for this message
Bryce Harrington (bryce) wrote :

It looks like the main rdepends of this package is libsoup2.4-tests:

libsoup2.4-tests
  ...
  Depends: php
    uwsgi-plugin-php
    php8.0
    php8.1
 |Depends: php-xmlrpc
    php8.1-xmlrpc
  ...

(Both php-xmlrpc and php8.1-xmlrpc binary packages come from php-xmlrpc source).

I am noticing that there is a new version of libsoup2.4 in -proposed, whose changes look like they are aiming to mark xmlrpc tests skippable. Looking at the build and test logs for libsoup2.4, it does not appear that the php*-xmlrpc binary package gets installed.

So I wonder if once we can get php-defaults and libsoup2.4 to migrate, if the php-xmlrpc source package becomes vestigial and can be dropped from the archive?

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (3.7 KiB)

Thanks for the check Bryce, that confirms what I've found in my quick look before.

At least from the archives POV only libsoup2.4-tests needs it.
And as you outlined it added "Add patch to treat tests based on php-xmlrpc as unreliable" in 2.74.2-3.
And libsoup2.4-test are only in universe.

OTOH I would not want to drop it from the archive as you suggested. There might be 3rd party or user software using it, and it might be happy to use it for a long time.

Note: there also is php-xml-rpc2, but that seems less maintained - no need brought it back from [1].

So IMHO we could go either way from here:
a) keep it in main (process this MIR bug here)
b) or demote it to universe (update seeds)

Note: as it is only a wrapper around src:xmlrpc-epi that would go with php-xmlrpc either way 8as it is the only dependency).

As always this is a balance of importance/need vs maintainability.

Checking various resources it seems not only is [2] called unmaintained, but also the overall project [3] moved to a node.js based source in 2019.
xmlrpc-epi which it wraps seems to be static as well (not necesarily bad) with no real update since at least 2014 [4].

If you search the web for "php xml rpc" you'll find a lot, but no references to this library.
Instead most refer to it being a security mess for wordpress [5]. And it turns out that this #1 user of the concept makes no use of the extension that it php-xmlrpc. If it would make it faster or more secure you'd think that over the years it would have been used, but it is not.
And there is a disturbing amount of "other php xml rpc2 projects [10][11]... Does that mean this addon of PHP isn't any good/useful?

Considering what feature it provides (HTTP based RPC) you have some contenders [6] that are more common and supported. While Oauth is something else the other three serve a similar purpose. Yar isn't even packaged, xmlrpc is for debate here and SOAP clearly is the most known and used of them. SOAP is in main (e.g. php8.1-soap in jammy). Checking various articles about the topic always rate SOAP>XMLRPC [7][8][9].

The [12] the discussion/statement around the decision by the php project to split it from src:php
could help as well. I consider their insight better than mine and they call it 'This extension was relatively unused, and was marked "experimental" all along. This extension relied on some of the libraries that were not maintained for several years.'
[12] Also lists four more modern alternatives for XML-RPC itself (none in the archive, no ITP for it in Debian).

It seems XMLRPC has lost the fight and on the way out. My gut feeling suggests to demote php-xmlrpc in Ubuntu 22.04 as a trial. If a reasonable real case comes up with use-cases needing support on php-xmlrpc we can re-promote it to main in 22.04. But as it seems to be on the way out I'd think for 22.10 and later we keep it in universe unless the conditions change on a wider scale.

@Bryce:
- Do you know of any other good way to check popularity/importance of php-xmlrpc to further guide our decision?
- If you agree would you prep the seed change?

[1]: https://tracker.debian.org/news/900929/php-xml-rpc2-removed-from-testing/
[2]: https://pecl....

Read more...

Revision history for this message
Bryce Harrington (bryce) wrote :

> It seems XMLRPC has lost the fight and on the way out. My gut feeling suggests to demote php-xmlrpc in Ubuntu 22.04 as a trial. If a reasonable real case comes up with use-cases needing support on php-xmlrpc we can re-promote it to main in 22.04.

I concur with this, it fits what I found as well.

Your mention of wordpress reminds me of when I looked at this prior to the holidays. Digging back through the history it seemed that at one point this was split from wordpress in hopes other projects could use it, but it failed to become commonly used, and eventually even wordpress moved on.

> @Bryce:
> - Do you know of any other good way to check popularity/importance of php-xmlrpc to further guide our decision?

No, indeed there are a number of similar php bits that I suspect are not really used, but I lack a reliable way to obtain data to prove so.

> - If you agree would you prep the seed change?

Does it just need dropped from the platform seed's server component? If so, please review:
https://code.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/+merge/413720

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

> Does it just need dropped from the platform seed's server component

Yes

> If so, please review:
> https://code.launchpad.net/~ubuntu-core-dev/ubuntu-seeds/+git/platform/+merge/413720

Reviewed by two now, feel free to push

Revision history for this message
Bryce Harrington (bryce) wrote :

Thanks, change pushed to jammy.

Changed in php-xmlrpc (Ubuntu):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers