How to require specific libraries dependencies

[macintoshplus]

I think it would be interesting to specify in the required elements of the composer.json file the libraries needed for the extension. Like extension, the prefix lib- can be used.

These dependencies would allow us to check for security vulnerabilities and during compilation, retrieve the source code or binary/SDK automatically.

Exemple:

{
    "name": "php/imap",
    "type": "php-ext",
    "require": {
        "php": ">=8.0",
                "lib-c-client": "2007f",
                "lib-openssl": ">=3.0.8"
    },
    "php-ext": {
        "extension-name": "imap"
    }
}

For openssl the tag used are openssl-3.0.8 or openssl-3.0.15.pl1 or newer.

[asgrim]

Indeed, Composer supports the lib- prefix, but I don't know off my head if/how it checks those dependencies. Can certainly be looked into as a future enhancement.

[remicollet]

Checking library for composer packages (runtime) is very different than checking development header needed by C extension (buildtime)

The check is usually done in config.m4, don't know if a duplicated check is really needed

Common usage is pkg-config, so a check relying on this may be a simple solution

$ pkg-config --exists libzip && echo OUI || echo NON
OUI
$ pkg-config --exists libfoo && echo OUI || echo NON
NON

OR, checking minimal version

$ pkg-config --atleast-version 1.0 libzip && echo OUI || echo NON
OUI
$ pkg-config --atleast-version 2.0 libzip && echo OUI || echo NON
NON

So something like

"require": {
        "php": ">=8.0",
                "command(pkg-config)": "*",
                "pkgconfig(libzip)": ">=1.0.0"
}

Other usage is checking header availability (.h) or/and shared library (.so)

[macintoshplus]

The goal of listing the library is to check if the development package is installed on Linux or to download the library on Windows.

For Windows, each library is built separately from the extension and stored here: https://downloads.php.net/~windows/pecl/deps/

If pie can check if library development is installed, on Windows it can download the library from the repository defined in the configuration (the URL must be changed without an upgrade needed).

The building command of the PHP extension on Windows is the same (exclude some exceptions) as Linux when using phpize.

@remicollet, IMHO this syntax is too complex:

"require": {
        "php": ">=8.0",
                "command(pkg-config)": "*",
                "pkgconfig(libzip)": ">=1.0.0"
}

[asgrim]

@macintoshplus note that PIE does not support building extensions on Windows at the moment, it will ONLY download prebuilt binaries at the moment (see docs: https://github.com/php/pie/blob/main/docs/extension-maintainers.md#windows-support ) so Windows isn't really a consideration at the moment. What Remi said about pkg-config is correct; and this is currently what ./configure already does. Unless Composer already checks libraries out the box (again, I have not yet checked, so I don't know Composer's behaviour when checking lib-* requires, IMO it wouldn't be worth putting in the effort to do this (and yes, it may need some more complex syntax than just "lib-openssl": ">=3.0.8", I expect)

[macintoshplus]

Hi @asgrim,

The goal of adding library dependencies is multiple:

• Check on Linux to see if all libraries are present before starting the building. (sometimes the information about the library is not found in the middle of the log).
• This information can be used to check the known vulnerabilities and alert the maintainer to update the requirements (e.g., snyk, OWASP dependency track).
• This information can be used in another building system to help to check/get all dependencies before building (ex: Windows building system).

For this reason, the library dependencies constraints must be more system agnostic. The real check must be implemented by Pie or another program (e.g., a Pie plugin).