Own Debian repository

[Ninos]

Hey there,

since some months the phpmyadmin package for debian stretch is not updated, so it's still vulnerable for CVE-2018-19968:
https://security-tracker.debian.org/tracker/CVE-2018-19968

Because of that I recommend using an own repository for phpmyadmin packages. Any plans for that? :-)

[nijel]

The Debian package was originally maintained by me and there used to be a PPA with recent packages. I don't have the time for that and nobody was willing to help (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879741 was filed one and half year ago), so I've given up and dropped the PPA (see https://twitter.com/mcihar/status/1103290188938264576).

There is https://salsa.debian.org/phpmyadmin-team where some initial work was done for packaging libraries, but I have not clue what state is there (besides those being outdated by almost year now).

[MauricioFauth]

I'm interested in helping with maintenance of the Debian package. I've been wanting to do this for a while, but I always end up leaving that aside.

Is it interesting for us to have a debian repository? The same way we have for docker and composer.

[ibennetch]

Having our own repository would allow us to offer better updates than the Debian hierarchy allows, but we'd have to be careful about dependency versions (for instance, if we no longer support MySQL prior to version 8, but most Debian repositories only contain version 5.7). I'm neutral on this idea, I'm not really in favor or against it.

[nijel]

There are repositories to bring recent PHP or MariaDB versions on Debian, those people would use having recent phpMyAdmin as well. For example see oerdnj/deb.sury.org#1131

The reason for having own repo is that Debian Buster will ship without phpMyAdmin and people will look for installing it there. The alternative approach might be to introduce it there through backports.

[Ninos]

For such applications an own repository makes sense, because of faster releasing of new versions. phpmyadmin is non-critical for the system and normally can be updated to newest stable releases. Gitlab is also another good example for having an own repository.

[e-gaulue]

Debian is rather known to be serious but not really reactive. By serious, I mean also rather secure and usable for a production environment.

Not having a package in Debian repository looks just crazy to me. If not coming through Debian backport or by an official own phpmyadmin repository, this means lots will install phpmyadmin on their own (you begin to find recipes about it if you google "phpmyadmin buster"). Sadly, just few of them will really follow the project, and the majority will forget, keeping an old version without paying attention to its security as long as it works.

@ibennetch Having your own repository leaves you free to be stricter than Debian regarding version support (just have to explain this in an introduction web page, anyway users will see it as it's set in package version dependencies), and allow you provide a distribution you consider reliable and sure. I don't say it's easy, but usually once the scripts are good it's rather automatic.

So for me, as a system administrator, I'm not neutral. This situation is the worst for me: no package in Debian repository and no "official" phpmyadmin repository.

Buster is not officially stable right now. I do not know much about the Ubuntu/Debian relationship, but Ubuntu should follow the Debian position... This should awake the claim.

[williamdes]

cc @Blaimi

[Blaimi]

Hey there,

I've made some progress recently packaging the current version for the upcoming buster release as well as backporting the PMASA back to stretch and jessie on salsa.debian.org.

the work ist based on work from @fsateler and @gratuxri.

@williamdes started reviewing the mergerequests and did already some upstream patches. we (@krumedia) also did a bionic backport for internal use which is working — at least for the simple basic operations we uns on our dev-machines.

To come forward, we need a Debian Developer as Mentor for uploading the Package into the official repositories. Maybe @fsateler can help with that.

Reviews and Testing of the merge-requests on salsa are very welcome. I am looking forward to create a ppa during the next for easier testing.