Hey there,
since some months the phpmyadmin package for debian stretch is not updated, so it's still vulnerable for CVE-2018-19968:
https://security-tracker.debian.org/tracker/CVE-2018-19968
Because of that I recommend using an own repository for phpmyadmin packages. Any plans for that? :-)
The Debian package was originally maintained by me and there used to be a PPA with recent packages. I don't have the time for that and nobody was willing to help (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=879741 was filed one and half year ago), so I've given up and dropped the PPA (see https://twitter.com/mcihar/status/1103290188938264576).
There is https://salsa.debian.org/phpmyadmin-team where some initial work was done for packaging libraries, but I have not clue what state is there (besides those being outdated by almost year now).
I'm interested in helping with maintenance of the Debian package. I've been wanting to do this for a while, but I always end up leaving that aside.
Is it interesting for us to have a debian repository? The same way we have for docker and composer.
Having our own repository would allow us to offer better updates than the
Debian hierarchy allows, but we'd have to be careful about dependency
versions (for instance, if we no longer support MySQL prior to version 8,
but most Debian repositories only contain version 5.7). I'm neutral on this
idea, I'm not really in favor or against it.
There are repositories to bring recent PHP or MariaDB versions on Debian, those people would use having recent phpMyAdmin as well. For example see https://github.com/oerdnj/deb.sury.org/issues/1131
The reason for having own repo is that Debian Buster will ship without phpMyAdmin and people will look for installing it there. The alternative approach might be to introduce it there through backports.
For such applications an own repository makes sense, because of faster releasing of new versions. phpmyadmin is non-critical for the system and normally can be updated to newest stable releases. Gitlab is also another good example for having an own repository.
Debian is rather known to be serious but not really reactive. By serious, I mean also rather secure and usable for a production environment.
Not having a package in Debian repository looks just crazy to me. If not coming through Debian backport or by an official own phpmyadmin repository, this means lots will install phpmyadmin on their own (you begin to find recipes about it if you google "phpmyadmin buster"). Sadly, just few of them will really follow the project, and the majority will forget, keeping an old version without paying attention to its security as long as it works.
@ibennetch Having your own repository leaves you free to be stricter than Debian regarding version support (just have to explain this in an introduction web page, anyway users will see it as it's set in package version dependencies), and allow you provide a distribution you consider reliable and sure. I don't say it's easy, but usually once the scripts are good it's rather automatic.
So for me, as a system administrator, I'm not neutral. This situation is the worst for me: no package in Debian repository and no "official" phpmyadmin repository.
Buster is not officially stable right now. I do not know much about the Ubuntu/Debian relationship, but Ubuntu should follow the Debian position... This should awake the claim.
cc @Blaimi
Hey there,
I've made some progress recently packaging the current version for the upcoming buster release as well as backporting the PMASA back to stretch and jessie on salsa.debian.org.
the work ist based on work from @fsateler and @gratuxri.
@williamdes started reviewing the mergerequests and did already some upstream patches. we (@krumedia) also did a bionic backport for internal use which is working β at least for the simple basic operations we uns on our dev-machines.
To come forward, we need a Debian Developer as Mentor for uploading the Package into the official repositories. Maybe @fsateler can help with that.
Reviews and Testing of the merge-requests on salsa are very welcome. I am looking forward to create a ppa during the next for easier testing.
Is it still planned to use own repository? I recommend that instead of uploading to debian default repository (in past we already had this problem, because of that I created this issue) :-)
What do you mean with βownβ? Owned by @phpmyadmin on github or a repository for packages separated from this one? π And what was the problem? The main problem in the past 1.5 years was, that noone was found to maintain the packaging β that's nothing a separate repository could fix π
If you mean only to be separated, the repository on salsa ist perfectly fine. Its purpose is only for the debian packaging part of the project and intergates fine into the debian CI.
Packaging for Debian is way more than knowing the project itself but much more about knowing how Debian _and_ its politics work. While I have been creating packages for years now (internal use only), I still have to learn a lot.
Using salsa is IMO the best way to maintain the package. Anyone who wants to contribute is welcome and can create mergerequests, issues or have access to the repository. Having an additional separate repository will only make sense if you do not want to follow the the dfsg or violate the debian policy (e.g. by including libraries like openlayers or any composer package in the package). Gitlab does that for example: you can gitlab as debian package from debian or from gitlab β they have not very much in common except they are based on the same sourcecode. These packages will never be accepted in the main repository but can have more recent versions.
If you want to know more about the current state for the upcoming buster release, please have a look at https://salsa.debian.org/phpmyadmin-team/phpmyadmin/issues/1
or do you mean _debian_ repository instead or _git_ repository? The ppa should do the job also for buster since the code is the same.
EDIT: yes, TL;DR; π
Even with my misunderstanding there are still arguments which are valid:
The main problem in the past 1.5 years was, that noone was found to maintain the packaging β that's nothing a separate repository could fix.
Packaging for Debian is way more than knowing the project itself but much more about knowing how Debian _and_ its politics work. While I have been creating packages for years now (internal use only), I still have to learn a lot.
phpmyadmin is non-critical for the system
I don't think so. pma is installed on thousands of servers and a defacto-default on any LAMP-installation. I am with you in the context of having bugs in a software only useful for developers which can always use a different tool (like CLI) but absolutely not with you in the context of bugs in a software which can give malory direct access to databases and execute plain sql which would not be possible if the software is not installed. I assume +90% of the installations are used for the one and only 'localhost' and are not secured by any other techniques than the login with sql-server-credentials. that's why there are bots who check for wordpress-security-issues to grab the server-config (including the db-password) and login to the database using pma.to manipulate wp_posts.
Gitlab is also another good example for having an own repository.
I'd not say βgoodβ on that. Have you ever used it? The package even brings its own postgresql-server. These packages are IMO only useful for playgrounds and not production-environments. And do not even _try_ to uninstall the package. It installs configurations and services and tons of stuff everywhere on the system and has no uninstall routine.
Buster is not officially stable right now. I do not know much about the Ubuntu/Debian relationship, but Ubuntu should follow the Debian position... This should awake the claim.
I'm not really sure about that. They still ship pma 4.6 in bionic which has an error as first impressions after login. they are also shipping mysql5.7 in disco bit mysql was not even available in stretch.
I'm not sure about the coming up 'eoan' but I'm absolutely confident to get the new version to 20.04 which is the next LTS after bionic (name?)
So, in the meanwhile I did not only overcome my lazyness and read the whole issue but also tested the ppa on buster.
I could install phpmyadmin with the following workflow:
apt-get install gnupg
apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 42YOUWILLKNOWWHERETOGETTHEFINGERPRINT45
wget http://ftp.de.debian.org/debian/pool/main/p/php-symfony-polyfill/php-symfony-polyfill-mbstring_1.9.0-1_all.deb
dpkg -i dpkg -i php-symfony-polyfill-mbstring_1.9.0-1_all.deb
apt-get install -fy
echo 'deb http://ppa.launchpad.net/phpmyadmin/ppa/ubuntu bionic main' > /etc/apt/sources.list.d/phpmyadmin-ppa.list
apt-get update
apt-get install default-mysql-server apache2
apt-get install phpmyadmin
This has some problems:
From the end-user-perspective this has one main advantage: It makes it easy to install pma from an pma-'official' channel for debian and maybe it's derivates.
So, having an own debian-repository leads to one important question:
Do you want to have the same versions as in debian β or even be compatible/interchangeabe β or do you want to make a package independent/conflicting the debian one (gitlab-way)
has the same packages as debian has. packages comes from the same maintainers
versions could be more recent for older debians
needs to maintain a complex debian-repository
has own versions of phpmyadmin in it's own repository
If someone of the phpmyadmin-team is willing to do the stuff around the CI/Travis (building, hosting, signing, etc) I can create the debian-part to create a package based on the *source.tar.gz-artifacts which includes all the dependencies and should be able to be installed on all debian-derivates which have a compatible php-version.
ah, I forgot to mention the alternatives: snap and flatpak. These formats are especially invented to include all the dependencies and libraries in a single package and to be distribution-independent. I don't know much about how they fit for webapplications which require connections to sql-servers but it deserves a chance.
I am using them only for desktop-applications (intellij, skype, firefox nightly) and cannot help on that topic. I even could not find any similar app on a quick view in snapstore or on flathub.
I don't think so. pma is installed on thousands of servers and a defacto-default on any LAMP-installation. I am with you in the context of having bugs in a software only useful for developers which can always use a different tool (like CLI) but absolutely not with you in the context of bugs in a software which can give malory direct access to databases and execute plain sql which would not be possible if the software is not installed. I assume +90% of the installations are used for the one and only 'localhost' and are not secured by any other techniques than the login with sql-server-credentials. that's why there are bots who check for wordpress-security-issues to grab the server-config (including the db-password) and login to the database using pma.to manipulate wp_posts.
Same opinion, I meant it's non-critical for the system itself, if application is not running anymore because of a bug in update (only application is not running anymore, there's no dependency to other applications).
About the security issues, you're completely right, because of that I opened this issue. phpmyadmin should definitely be available via debian repository (debian or own doesn't matter), otherwise we'll have lots of unpatched instances.
The reason why I thought about an own debian repository is following security issue:
https://security-tracker.debian.org/tracker/CVE-2018-19968
For Debian Stretch it's still not fixed. One of the reasons could be, that debian only accepts security patches, which needs be be done for each debian version separetely (takes time). If you have your own debian repository you could deploy every version (e.g. on stable branch) to your repository automatically, doesn't matter what you added (security fixes, features, ui changes).
I merged https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/6/ into the stretch branch so we can upload the package with the fix.
BTT: I will not have time to create a package until next week, but maye someone wants to create a new (and empty, i.e no initial empty commit or readme or license β¦) repository like github.com/phpmyadmin/debian.git and add me as a developer in the meanwhile.
building the package from native format (like in a debian branch in the main repo) is no option because including all the dependencies is not possible.
Ah, and we would have to find a new package-name π how about phpmyadmin-omnibus π
hah, nextcloud is also distributed as snap
https://github.com/nextcloud/nextcloud-snap
https://snapcraft.io/nextcloud
the problem with adopting the package is that it brings it's own mysql-server. Having an own apache is not very resource-friendly but would not be a big deal if we don't use port 80 (or 443) and force any user to setup a reverse-proxy in the 'main apache-instance' (or nginx or lighhttp or whatever). We should also be able to use something more leightweight like an nginx. Having it's own mysql is the big deal since phpmyadmin without access to any database except it's own makes the software very useless.
the nextcloud-snap has also 122 open issues in the time of this writing. many of them are not related to nextcloud or its snap-package itself but for the correct handling on snap, apache, redis and other stuff. (there are only 5 open issues with the label 'bug'). I don't think a potential pma-snap would have the same ratio on support-issues to real bugs because pma doesn't have plugins, but you will have to deal with new problems coming from snap users.
conclusion:
some links:
https://www.github.com/blaimi/phpmyadmin-debian-omnibus
https://launchpad.net/~phpmyadmin/+archive/ubuntu/ppa/
I also added tcpdf and php-symfony-polyfill to the phpmyadmin ppa
the omnibus-package cannot (yet?) be installed on jessie because the php-package-names have changed from php5-* to php-*. I don't know yet if I'll ever find the motivation to do this β¦
EDIT: The upload of php-symfony-polyfill is not done yet. The package cannot build because of a version-mismach of phpunit. I will have to wait until the deletion of the current package is done so I can upload a version with a ~ppa-suffix and disabled tests.
Thanks for working on this!
I've installed it on a test Debian Buster VM and it works nice.
I'm also trying this on a test Debian stretch VM, but it's missing the php-psr-container package.
I've manually added it from the buster repo
Then it's still missing a part of Twig (1.24.0-2+deb9u1 of php-twig is installed).
PHP Fatal error: Uncaught Error: Class 'Twig\\Loader\\FilesystemLoader' not found in /usr/share/phpmyadmin/libraries/classes/Template.php:61
the new version of pma is not planned to be released for debian stretch. debian stretch has a working phpmyadmin-package. Since stretch is now oldstable it's not worth the effort to get any new version into backports.
Our goal at the moment is to get the package as fast as possible into buster-backports. For ubuntu 18.04 the ppa is working and we maybe can get it also into bionic-packports. The effort here is worth it because the current bionic-package is broken (pma 4.6.6 does not support php7.2 from bionic but 7.0 from stretch)
the twig-problem is obvious. the twig-extension-package brought you by the ppa is based on twig2 but stretch has twig1
Debian Stretch has still a working version, which is vulnerable:
https://security-tracker.debian.org/tracker/CVE-2018-19968
That was the reason for my ticket. If it's too complicated, we should set focus on >= Buster. Thank you for your work!!
I backported this here: salsa:phpmyadmin-team/phpmyadmin!6.
I'm still not 100% aware of when and how and who to upload and which changes are allowed by the debian-policy and all that stuff β¦ the 'everything is an email with a cli-tool for βeasyβ usage'-organization is sadly not very motivating.
the new packages necessary for newer phpmyadmin are still in the new-package-queue (since >2.5 month) and I completely don't know why β¦
@Blaimi I share the feeling
The system seems kind of strange, I did not find any documentation that explained everything 100%
Some other Linux based systems have clear documentation and unsurprisingly they all are up to date for phpmyadmin
If someone can find a way to make some progress on the package queue upload of our packages...
:tada: https://tracker.debian.org/news/1078745/accepted-phpmyadmin-4491dfsg1-2-source-into-unstable/
one step closer to get phpMyAdmin insto buster-backports
:tada:
https://tracker.debian.org/news/1082573/accepted-phpmyadmin-4492dfsg1-1-source-into-unstable/
https://tracker.debian.org/phpmyadmin/
Will migrate to testing tomorrow π
Hooray, more than 2 year after not having any updates :tada: :muscle:
phpMyAdmin is back into testing !
[2019-11-27] phpmyadmin 4:4.9.2+dfsg1-1 MIGRATED to testing (Debian testing watch)
[2019-01-17] phpmyadmin REMOVED from testing (Debian testing watch)
[2017-07-15] phpmyadmin 4:4.6.6-5 MIGRATED to testing (Debian testing watch)
What a journey !
A big thank you to all the phpMyAdmin packaging team members !
We are now trying to get phpMyAdmin back into buster using buster-backports.
See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845031 by @OlafvdSpek Sat, 19 Nov 2016
Thank you very much!
Since the package is still not in buster-backports, I installed the phpmyadmin package from testing in my buster installation. This requires to also install the following packages from testing, since they are not available in buster:
After installing these packages, phpmyadmin works on buster!
What about Ubuntu?
I see PPA has 4.9.1 as latest version.
Can we get 4.9.3?
@garak we will update the PPA as soon as possible, we are updating Debian testing soon
Hello for everyone. I am a new at this discussion, but I have some good knowledge of this programm functionallity and how it works, I used a lot of time.
Also I have good knowledge at PHP and JavaScript skills.
I was thinking about this too.
I just wan't to give my words about this.
First what I wanted to say is that we need to support Mysql? Maybe we can just use mariadb at least the best choise for using phpmyadmin for PPA.
Second what I wanted to say is that, I agree with all comments who said before, but I think we need to make a PPA who will close enough to master branch of this github. Because if we need rolling releases from phpmyadmin it should be doing directly from master and not waiting a lot of time.
And of course we need a controlling about PPA, build it, and make it more user friendly for installation. If somebody from main developers need a free hand for this, I can help.
Third what I wanted to say is about the php versions of what people uses in their servers or home computers. My php version is primary now 7.3+, but in some couple time at least 1-2 years I will change it to 7.4.
Don't you think we need to add a function who will not get installed if the php version is not less than 7.3?
Thank you guys.
Hi everyone
I published 4.9.4 to the Ubuntu PPA :rocket: !
Only available for Eoan and Bionic.
Second what I wanted to say is that, I agree with all comments who said before, but I think we need to make a PPA who will close enough to master branch of this github. Because if we need rolling releases from phpmyadmin it should be doing directly from master and not waiting a lot of time.
We already have a PPA and do our best to package as quickly as possible the relases :)
I look forward to phpmyadmin on debian buster!
Hi there,
thanks for keeping up the work providing recent phpmyadmin packages.
With the latest phpmyadmin depends on php-phpmyadmin-motranslator (>= 5.0) but in the PPA is only 4.0-3 available.
Many thanks, Jan.
Hi @waja
Thank you for pointing this out
I did not notice this because debian/control change was forgotten on f68bff7a4b3a0708ed8b244590f74b863d13c063
Anyway, I fixed this by publishing motranslator 5 to the Ubuntu PPA
Happy apt-get upgrade
Since the package is still not in
buster-backports, I installed thephpmyadminpackage fromtestingin mybusterinstallation. This requires to also install the following packages fromtesting, since they are not available inbuster:
* php-google-recaptcha
* php-phpmyadmin-motranslator
* php-phpmyadmin-shapefile
* php-phpmyadmin-sql-parser
* php-twig-extensionsAfter installing these packages, phpmyadmin works on
buster!
It looks like all dependencies of the main phpmyadmin package found the way to buster-backports. Just the main package is missing, now.
We are missing php-twig >= 2.9 and then we will upload phpmyadmin to buster-backports :tada:!
https://ftp-master.debian.org/backports-new.html
https://packages.debian.org/buster-backports/phpmyadmin
Add this source to you /etc/apt/sources.list
deb http://deb.debian.org/debian buster-backports main
apt-get update && apt-get install phpmyadmin
Add the key if needed and apt-get update
curl -o- "http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x04EE7237B7D453EC" | sudo apt-key add -
# wget -O-
You will maybe need to upgrade some packages before
I had to apt-get upgrade php-tcpdf php-twig -y
I was also obliged to do apt-get install -t buster-backports php-twig OR apt-get install php-twig=2.13.1-1~bpo10+1 to force the upgrade before installing phpmyadmin
NB: 2.13.1-1~bpo10+1 comes from apt-cache policy php-twig
Please leave feedback here or email me at [email protected]
From now, "Own Debian repository" by @Ninos is done and #845031 by @OlafvdSpek is now closed after 4 years !!
A big thank you for all the people involved in bringing back the package !! :tada:
Near one year of hard work ! (for multiple reasons)
Congratulations and very well done β€οΈ
thanks for a great job, i can finally use phpmyadmin on Debian 10!
apt-get upgrade php-tcpdf php-twig
Installed successfully but phpmyadmin still see error:
phpmyadmin : Depends: php-twig (>= 2.9) but 2.6.2-2 is to be installed
Recommends: php-bz2
Recommends: php-zip
Hi @MESWEB
Please try https://github.com/phpmyadmin/phpmyadmin/issues/15236#issuecomment-615954993 (apt-get install php-twig=2.12.5-1~bpo10+1)
@williamdes
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '2.12.5-1~bpo10+1' for 'php-twig' was not found
Could you please write bash script for automated installation of phpmyadmin. You can call it like debian10installation.sh and put this file into phpmyadmin directory. This script will download latest version an do all installation process.
@williamdes
Building dependency tree Reading state information... Done E: Version '2.12.5-1~bpo10+1' for 'php-twig' was not foundCould you please write bash script for automated installation of phpmyadmin. You can call it like debian10installation.sh and put this file into phpmyadmin directory. This script will download latest version an do all installation process.
Please try apt-policy twig to view the available packages for backports and be sure to have added buster-backports and updated apt lists
First of all: Thank you very much for making phpmyadmin available through backports! :cake:
Not because of convenience, but because I believe that server maintenance profits greatly from unified basic installation processes from common/official sources. I was very surprised to see phpmyadmin missing in Debian Buster repos.
Regarding the php-twig installation, here's what worked for me:
$ apt install -t buster-backports php-twig
apt update && apt install -t buster-backports phpmyadmin
And you will have phpMyAdmin 5.0.4 π
Enjoy and open new issues for any question or bug found
Happy new year and enjoy the new version!
Most helpful comment
https://packages.debian.org/buster-backports/phpmyadmin
Add this source to you
/etc/apt/sources.listapt-get update && apt-get install phpmyadminAdd the key if needed and
apt-get updateYou will maybe need to upgrade some packages before
I had to
apt-get upgrade php-tcpdf php-twig -yI was also obliged to do
apt-get install -t buster-backports php-twigORapt-get install php-twig=2.13.1-1~bpo10+1to force the upgrade before installingphpmyadminNB:
2.13.1-1~bpo10+1comes fromapt-cache policy php-twigPlease leave feedback here or email me at [email protected]
From now, "Own Debian repository" by @Ninos is done and #845031 by @OlafvdSpek is now closed after 4 years !!
A big thank you for all the people involved in bringing back the package !! :tada:
Near one year of hard work ! (for multiple reasons)