NOTE: I only saw that where the source package is in main reports are not
required after spending most of the day writing this up. It's my first MIR so apologies if this isn't the correct process for promoting a binary of an existing source package - I couldn't find documentation on what to do to make that request.
From the PHP documentation: FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features (mostly) useful for heavy-loaded sites.
Availability:
Available in Ubuntu universe in all currently supported Ubuntu releases. Latest release builds on all architectures (amd64, arm64, armhf, i386, powerpc, ppc64el)[1]. Also available on Debian Wheezy (it was not included in Squeeze as FPM was introduced to PHP core too close to Squeeze's release[2]).
Rationale:
Commonly combined with nginx, and can be used with all servers supporting
FastCGI (Apache, Lighttpd, etc). With some momentum behind adding nginx to main[3] it would be nice to have something with security support that can be paired with it to have comparable functionality to the common apache2 + libapache2-mod-php5 combination. According to Ubuntu popcon php5-fpm is used regularly by 950 people, which compares favourably to nginx (nginx-common) which is used regularly by 639 people (according to "Vote" stats).
Security:
php5 is already in main so this search is limited to security issues affecting FPM specifically. PHP FPM is included with and supported as part of the core PHP release in all currently supported versions (5.3.x, 5.4.x and 5.5.x). It therefore has security support from the core PHP team. It also has security support from upstream Debian.
A search for "fpm" on cve.mitre.org and NVD returns only CVE-2012-0831. This appears to have been disclosed responsibly and fixed promptly (NVD shows vulnerability release date of Feb 10, 2012. It was fixed in PHP prior to this disclosure on Feb 2, 2012.)
The USN with updated packages was released Feb 9, 2012.
There are currently no affecting CVEs listed in Ubuntu's security tracker for php5 package[4].
There are currently four open issues listed in Debian's security tracker (not counting "unimportant issues" for php5 package[5]:
* CVE-2010-4657 per Ubuntu tracker "can't reproduce on quantal+", so does not affect Trusty.
* CVE-2011-1398 fixed upstream in 5.4.0, so does not affect Trusty.
* CVE-2011-4718 fixed upstream in 5.5.2, so does not affect Trusty.
* CVE-2012-0789 fixed upstream in 5.5.0, so does not affect Trusty.
The php5-fpm binary is installed in /usr/sbin and installs a daemon. The daemon by default is not public facing and starts a socket listening at /var/run/php5-fpm.sock.
Based on this an in-depth security review is required.
Quality assurance:
The package is automatically started after installation. Provided a web server is correctly configured it should be possible to use this package without any further configuration to begin serving PHP pages.
There are no debconf questions asked during installation.
Upstream PHP FPM bugs: https://bugs.php.net/search.php?cmd=display&package_name[]=FPM+related
Debian bugs: http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=php5-fpm
Ubuntu bugs: https://launchpad.net/ubuntu/+source/php5/+bugs?field.searchtext=fpm
Ubuntu bug 1230917 must be fixed, as this affects logrotate when using Upstart and will send weekly warning emails from cron.
Other Ubuntu bugs either require more information or relate to PHP core or a module, not FPM.
In Debian there are currently no outstanding bugs that can be actioned.
In PHP upstream there are several relevant open bugs:
* 55508 - feature request to listen on IPv6 addresses (current support is limited to IPv4 and sockets)
* 62382 - access log format for FPM shows incorrect values for server time a request is received
* 51983 - pm.status_path not working when cgi.fix_pathinfo=1 (long-standing, probably minor bug)
* 53074 - looks like upstream version of Ubuntu bug 1242376
* 53611 - fastcgi_param PHP_VALUE pollutes other sites (possible security issue, long-standing). Possibly related to 61867 and 63965.
* 60961 - Graceful Restart (USR2) isn't very graceful. Possibly related to 63395.
* 61558 - Runaway spawning of children after pipe error
* 62172 - FPM not working with Apache httpd 2.4 balancer/fcgi setup
* 55322, 62279 - chroot issues
* 64626 - PHP-FPM may segfault/hang on startup
Whether any of these are blockers is up to discretion of MIR approval team. If any are blockers then please state which ones so they can be tracked for a future MIR.
In Debian PTS there are several Lintian errors and warnings for php5, however php5-fpm is clean. There is a build warning on powerpc but no build failures.
The package does not deal with specific hardware.
The package ships a test suite which is referenced in debian/rules.
The package includes a watch file.
UI standards:
N/A
Dependencies:
All build and binary dependencies are satisfyable in main.
Standards compliance:
The current package meets Debian Policy 3.9.4 (current is 3.9.5).
Maintenance:
The php5 source package is already maintained by Ubuntu Developers, who are responsible for providing security updates for several other binary packages from php5 source. Bugs and security issues that affect FPM will typically affect core as well and require updates; security issues which affect PHP FPM are rare so the extra workload required should hopefully be minimal.
NOTE: Ubuntu bug 1242376 was marked as requiring a fix, however it was fixed in Debian in 5.5.6+dfsg-1 and that fix is now in the Trusty archive.
[1] https://launchpad.net/ubuntu/+source/php5/5.5.6+dfsg-1ubuntu2
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=603174
[3] https://bugs.launchpad.net/ubuntu/+source/nginx/+bug/1262710
[4] http://people.canonical.com/~ubuntu-security/cve/pkg/php5.html
[5] https://security-tracker.debian.org/tracker/source-package/php5
Who will be your team subscriber? If this is to be ~ubuntu-server, have you cleared it with them? I have seen no mention.