purl-spec

purl-spec copied to clipboard

Add Purl type for PHP PECL package type

https://github.com/anchore/syft/pull/2604

PECL and PEAR are different. PEAR is closer to composer as it is PHP code vs PECL which is native extensions to PHP.

Added some tests but the docs doesn't specify how to run the tests

The PECL page says that PECL is PEAR:

The packaging and distribution system used by PECL is shared with its sister, PEAR.

https://pecl.php.net/

You can't use interchangeably

root@5a371520ac37:/# pear install APCu
No releases available for package "pear.php.net/APCu" - package pecl/APCu can be installed with "pecl install APCu"
install failed

root@5a371520ac37:/# pecl install Archive_Tar
No releases available for package "pecl.php.net/Archive_Tar"
install failed

Not being able to install them the same way doesn't mean they aren't the same system. They use the same protocol with different repository_urls (channels).

$ pear channel-info pecl.php.net
Channel pecl.php.net Information:
=================================
Name and Server         pecl.php.net
Alias                   pecl
Summary                 PHP Extension Community Library
Validation Package Name PEAR_Validator_PECL
Validation Package      1.0
Version
Server Capabilities
===================
Type Version/REST type Function Name/REST base
rest REST1.0           https://pecl.php.net/rest/
rest REST1.1           https://pecl.php.net/rest/

$ pecl channel-info pear.php.net
Channel pear.php.net Information:
=================================
Name and Server         pear.php.net
Alias                   pear
Summary                 PHP Extension and Application Repository
Validation Package Name PEAR_Validate
Validation Package      default
Version
Server Capabilities
===================
Type Version/REST type Function Name/REST base
rest REST1.0           http://pear.php.net/rest/
rest REST1.1           http://pear.php.net/rest/
rest REST1.2           http://pear.php.net/rest/
rest REST1.3           http://pear.php.net/rest/
Channel pear.php.net Mirrors:
=============================
us.pear.php.net
de.pear.php.net
Mirror us.pear.php.net Capabilities
===================================
Type Version/REST type Function Name/REST base
rest REST1.0           http://us.pear.php.net/rest/
rest REST1.1           http://us.pear.php.net/rest/
rest REST1.2           http://us.pear.php.net/rest/
rest REST1.3           http://us.pear.php.net/rest/
Mirror de.pear.php.net Capabilities
===================================
Type Version/REST type Function Name/REST base
rest REST1.0           https://de.pear.php.net/rest/
rest REST1.1           https://de.pear.php.net/rest/
rest REST1.2           https://de.pear.php.net/rest/
rest REST1.3           https://de.pear.php.net/rest/

pecl is actually pear with PEAR_RUNTIME set to pear.

You can't use interchangeably

root@5a371520ac37:/# pear install APCu
No releases available for package "pear.php.net/APCu" - package pecl/APCu can be installed with "pecl install APCu"
install failed

root@5a371520ac37:/# pecl install Archive_Tar
No releases available for package "pecl.php.net/Archive_Tar"
install failed

You can install pecl packages using pear.

$ pear install pecl.php.net/APCu
…
install ok: channel://pecl.php.net/apcu-5.1.23
configuration option "php_ini" is not set to php.ini location
You should add "extension=apcu.so" to php.ini

But going the other direction doesn't work?

$ pecl install pear.php.net/Archive_Tar
pear.php.net is using an unsupported protocol - This should never happen. Use --force to continue
install failed

Having incompatible packages doesn't necessarily mean they are different package types. alpm, apk, etc have incompatible packages in different repositories (ie there is no alpine or openwrt package type). gem stores incompatible packages in the same repository (jruby).

If pear and pecl packages are typically managed using different files for different purposes, maybe both types should be added, referencing each other since it seems like for PURL implementations they are nearly identical.

To use the same package type, if you had a list of pecl extensions you could write them as pkg:pear/name?runtime=pecl or pkg:pear/name?repository_url=https://pecl.php.net/ instead of pkg:pecl/name.

@matt-phylum in my opinion, what is being installed (native extensions vs PHP code) is different enough to warrant distinct Purls

@matt-phylum @pombredanne After some consideration, I updated the PR to have pear as the type that support both PEAR and PECL.

Here is the PR for the modified implementation in Syft: https://github.com/anchore/syft/pull/2775

@pombredanne can you take another look at this?

If the namespace of the PURL contains information for channel discovery, how does it interact with repository_url qualifier? Does repository_url override the base URL that would normally be determined through channel discovery?

@matt-phylum I am not sure....

@cweiske do you think you can review as a PEAR contributor?