Can I (or Alexey) do a release of HTTP_Request2?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Can I (or Alexey) do a release of HTTP_Request2?

Michael Gauthier
HTTP_Request2 has not seen a release in 2 years. The proposed changelog
for 2.3.0 would be:

  New Features:
  - Observer object which can do on-the-fly decoding to a stream.
  - Improved unit tests and added network tests, Travis CI integration.
  - Better event dispatching for cURL adapter.

  Fixed bugs:
  - False value returned from mime-type detection.
  - Double decoding of body if using cURL.
  - #20228 Dispatch warning event if incomplete body is received for
chunked request.
  - #19937, #20401 Add option to ignore invalid cookies.
  - #20561 Ure correct URL when storing cookies after redirect.
  - #20440 cURL adapter with PUT request does not send request body.

HTTP_Request2 has an up-to-date README, good CI tests (which look like
they are failing due to an error on Travis-CI's side) and an up-to-date
composer.json.

Cheers,
Mike

--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: Can I (or Alexey) do a release of HTTP_Request2?

Christian Weiske
Hello Michael,


> HTTP_Request2 has not seen a release in 2 years. The proposed
> changelog for 2.3.0 would be:

I'd also love to see a new release.

Alexey, are you still there?

--
Regards/Mit freundlichen Grüßen
Christian Weiske

-=≡ Geeking around in the name of science since 1982 ≡=-

signature.asc (188 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Can I (or Alexey) do a release of HTTP_Request2?

Alexey Borzov
In reply to this post by Michael Gauthier
Hi Michael!

On 07.02.2016 23:49, Michael Gauthier wrote:
> HTTP_Request2 has not seen a release in 2 years. The proposed changelog for
> 2.3.0 would be:

Sorry for a long delay with a release.

I was hoping to dedicate some time to releasing a new version in February, so
thanks for additional encouragement and a draft of a changelog. :]


>   New Features:
>   - Observer object which can do on-the-fly decoding to a stream.
>   - Improved unit tests and added network tests, Travis CI integration.
>   - Better event dispatching for cURL adapter.
>
>   Fixed bugs:
>   - False value returned from mime-type detection.
>   - Double decoding of body if using cURL.
>   - #20228 Dispatch warning event if incomplete body is received for chunked
> request.
>   - #19937, #20401 Add option to ignore invalid cookies.
>   - #20561 Ure correct URL when storing cookies after redirect.
>   - #20440 cURL adapter with PUT request does not send request body.


I still need to address
http://pear.php.net/bugs/bug.php?id=20462
and
http://pear.php.net/bugs/bug.php?id=20531
though. Especially the former one which can lead to selecting less-secure SSL
versions.

I'd also like to run some tests with composer and probably switch to using an
autoloader and not mangling include_path.

Other than these everything is indeed ready...


> HTTP_Request2 has an up-to-date README, good CI tests (which look like they are
> failing due to an error on Travis-CI's side) and an up-to-date composer.json.

Speaking of Travis failures, tests on 5.2 failed due to some obvious Travis
problem (do they even support 5.2 still?), while those on 5.5 and 5.6 failed
with an interesting error message related to Net_URL2:

Warning: require_once(Net/URL2.php): failed to open stream: No such file or
directory in /home/travis/build/pear/HTTP_Request2/HTTP/Request2.php on line 25

that's pretty strange since .travis.yml has an explicit "pear install Net_URL2"
and that install seemed to succeed. Any thoughts?


--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 Travis issues (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Michael Gauthier
>> HTTP_Request2 has an up-to-date README, good CI tests (which look like
>> they are
>> failing due to an error on Travis-CI's side) and an up-to-date
>> composer.json.
>
> Speaking of Travis failures, tests on 5.2 failed due to some obvious
> Travis problem (do they even support 5.2 still?), while those on 5.5 and
> 5.6 failed with an interesting error message related to Net_URL2:
>
> Warning: require_once(Net/URL2.php): failed to open stream: No such file
> or directory in /home/travis/build/pear/HTTP_Request2/HTTP/Request2.php
> on line 25
>
> that's pretty strange since .travis.yml has an explicit "pear install
> Net_URL2" and that install seemed to succeed. Any thoughts?
>

The precise VM for Travis no longer include PHP 5.2 as an option. If you
still want to support 5.2 it has to be manually installed in the
`before_script` section. I recommend just dropping 5.2 support and
removing the test for 5.2.

For PHP 5.5 and 5.6 it looks like there is a config issue with the
default PEAR install. See
https://travis-ci.org/gauthierm/HTTP_Request2/jobs/107653291 which does
a `pear config-show` before running tests.

The PHP include path is:

   /home/travis/.phpenv/versions/5.5.31/share/pear

but the PEAR PHP path is:

   /home/travis/.phpenv/versions/5.5.31/lib/php/pear

Anything installed via PEAR on these systems is not in the default
include path and causes a failure on require_once. I opened
https://github.com/travis-ci/travis-ci/issues/5589 for the issue.

--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 composer include path (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Michael Gauthier
In reply to this post by Alexey Borzov
> I still need to address
> http://pear.php.net/bugs/bug.php?id=20531
>
A fix for this looks like it was already merged into trunk. It's not the
prettiest fix but should work.

> I'd also like to run some tests with composer and probably switch to
> using an autoloader and not mangling include_path.
>
> Other than these everything is indeed ready...
>
I'd like to switch o an autoloader but at least one stable composer
release should be made with the legacy include-path option. There is a
lot of legacy code dependent on HTTP_Request2 and getting everyone to
update their usage to expect an autoloader is not realistic. This is an
issue with the current stable releases on composer and one reason why
I'd like to see a new stable release.

I propose at least the next stable release uses composer's include-path
option.

--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 SSL/TLS issue (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Michael Gauthier
In reply to this post by Alexey Borzov
> I still need to address
> http://pear.php.net/bugs/bug.php?id=20462 which can lead to selecting
> less-secure SSL versions.
>
Can I help out with this? I have access to an old (Snow Leopard) and a
new OS X (El Capitan) machine. Is the current issue just that you are
unable to reproduce the issue or do you already have an API update in mind?

Let me know if I can help.

Cheers,
Mike


--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 composer include path (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Alexey Borzov
In reply to this post by Michael Gauthier
Hi Michael,

On 08.02.2016 1:12, Michael Gauthier wrote:
>> I still need to address
>> http://pear.php.net/bugs/bug.php?id=20531
>>
> A fix for this looks like it was already merged into trunk. It's not the
> prettiest fix but should work.

Oops, forgot merging that. So that one is covered and I'll just have to
double-check whether install via composer works as expected.

>> I'd also like to run some tests with composer and probably switch to
>> using an autoloader and not mangling include_path.
>>
>> Other than these everything is indeed ready...
>>
> I'd like to switch o an autoloader but at least one stable composer release
> should be made with the legacy include-path option. There is a lot of legacy
> code dependent on HTTP_Request2 and getting everyone to update their usage to
> expect an autoloader is not realistic. This is an issue with the current stable
> releases on composer and one reason why I'd like to see a new stable release.
>
> I propose at least the next stable release uses composer's include-path option.

A good point. So keep include-path this release and add a changelog warning
about possible switch to autoload in the next release?


--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 SSL/TLS issue (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Alexey Borzov
In reply to this post by Michael Gauthier
Hi Michael,

On 08.02.2016 1:14, Michael Gauthier wrote:
>> I still need to address
>> http://pear.php.net/bugs/bug.php?id=20462 which can lead to selecting
>> less-secure SSL versions.
>>
> Can I help out with this? I have access to an old (Snow Leopard) and a new OS X
> (El Capitan) machine. Is the current issue just that you are unable to reproduce
> the issue or do you already have an API update in mind?
>
> Let me know if I can help.

Well, it would be nice to know whether the report is reproducible. If you can
check on several OS X versions then please do this.

And yes, I have some code changes planned, one was mentioned in the next to last
comment in #20462: getting rid of insecure SSL versions in
HTTP_Request2_SocketWrapper::enableCrypto().

It may also make sense to use some newer knobs if we are running on PHP 5.4+
and/or PHP 5.6+ and to make changes outlined at
http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-(HTTPS-SSL-and-TLS).html




--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 Travis issues (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Alexey Borzov
In reply to this post by Michael Gauthier
Hi Michael,

On 08.02.2016 1:08, Michael Gauthier wrote:
> The precise VM for Travis no longer include PHP 5.2 as an option. If you still
> want to support 5.2 it has to be manually installed in the `before_script`
> section. I recommend just dropping 5.2 support and removing the test for 5.2.

Removed testing on 5.2 and added testing on 7.0. Build succeeds on 7.0, which is
good.

As for dropping support, I see no real benefit here: HTTP_Request2 runs OK on
5.2, so I'll just add a fat warning that it isn't *tested* on 5.2.


> For PHP 5.5 and 5.6 it looks like there is a config issue with the default PEAR
> install. See https://travis-ci.org/gauthierm/HTTP_Request2/jobs/107653291 which
> does a `pear config-show` before running tests.
>
> The PHP include path is:
>
>    /home/travis/.phpenv/versions/5.5.31/share/pear
>
> but the PEAR PHP path is:
>
>    /home/travis/.phpenv/versions/5.5.31/lib/php/pear
>
> Anything installed via PEAR on these systems is not in the default include path
> and causes a failure on require_once. I opened
> https://github.com/travis-ci/travis-ci/issues/5589 for the issue.

Thanks for the research. I've added a temporary workaround to
include_path-mangling in tests/TestHelper.php so now the build succeeds:

https://travis-ci.org/pear/HTTP_Request2/builds/107775957


--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 SSL/TLS issue (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Michael Gauthier
In reply to this post by Alexey Borzov
On 2/7/2016 7:29 PM, Alexey Borzov wrote:

> Hi Michael,
>
> On 08.02.2016 1:14, Michael Gauthier wrote:
>>> I still need to address
>>> http://pear.php.net/bugs/bug.php?id=20462 which can lead to selecting
>>> less-secure SSL versions.
>>>
>> Can I help out with this? I have access to an old (Snow Leopard) and a
>> new OS X
>> (El Capitan) machine. Is the current issue just that you are unable to
>> reproduce
>> the issue or do you already have an API update in mind?
>>
>> Let me know if I can help.
>
> Well, it would be nice to know whether the report is reproducible. If
> you can check on several OS X versions then please do this.
>
> And yes, I have some code changes planned, one was mentioned in the next
> to last comment in #20462: getting rid of insecure SSL versions in
> HTTP_Request2_SocketWrapper::enableCrypto().
>
> It may also make sense to use some newer knobs if we are running on PHP
> 5.4+ and/or PHP 5.6+ and to make changes outlined at
> http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-(HTTPS-SSL-and-TLS).html
>
That's a great article. So for the next release the outstanding SSL/TLS
features are:

  * disable insecure SSL versions by default
  * in supported PHP/OpenSSL versions, set more secure SSL context
options by default

Should we also distribute the ca bundle so peer verification works by
default?

Cheers,
Mike

--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply | Threaded
Open this post in threaded view
|

Re: HTTP_Request2 SSL/TLS issue (was Re: Can I (or Alexey) do a release of HTTP_Request2?)

Alexey Borzov
Hi Michael,

On 08.02.2016 18:40, Michael Gauthier wrote:
>> Well, it would be nice to know whether the report is reproducible. If
>> you can check on several OS X versions then please do this.

Thanks for your testing of bug #20462

Looks like there was something fishy with the original report and/or with a
particular PHP installation the reporter used.

>>
>> And yes, I have some code changes planned, one was mentioned in the next
>> to last comment in #20462: getting rid of insecure SSL versions in
>> HTTP_Request2_SocketWrapper::enableCrypto().
>>
>> It may also make sense to use some newer knobs if we are running on PHP
>> 5.4+ and/or PHP 5.6+ and to make changes outlined at
>> http://phpsecurity.readthedocs.org/en/latest/Transport-Layer-Security-(HTTPS-SSL-and-TLS).html
>>
>>
> That's a great article. So for the next release the outstanding SSL/TLS features
> are:
>
>   * disable insecure SSL versions by default
>   * in supported PHP/OpenSSL versions, set more secure SSL context options by
> default

Yes. I'll make a few more tests on whether it is possible to force using TLS
above version 1.0 in PHP below version 5.6 but right now that doesn't seem to be
the case...

Maybe it is a good idea then to explicitly connect to tls:// instead of ssl://
anyway since this will at least prevent falling back to SSL v3.


> Should we also distribute the ca bundle so peer verification works by default?

I'd prefer not to, using system-wide bundle is a more robust solution.

Need of CA files and possible ways to set them up are already documented:
http://pear.php.net/manual/en/package.http.http-request2.config.php#package.http.http-request2.config.ssl


--
PEAR Development Mailing List (http://pear.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php