How to get a non suhosin version of php on Ubuntu Hardy Heron (8.04)

December 7, 2008

I was trying to install a php extension when I read somewhere that said extension won’t work on Ubuntu Hard Heron PHP because it has Suhosin patch installed by default from that version up and that doesn’t play nice with some extensions. After some search I found how to recompile php without Suhosin and I’m going to consolidate the info here.

  1. Get the php5 source (this puts it in a folder work for cleanliness sake): mkdir work && cd work && apt-get source php5 && cd php5-5.2.4
  2. Make sure you can build it by doing: sudo apt-get build-dep php5
  3. Remove suhosin patch: rm debian/patches/suhosin.patch
  4. nano debian/patches/series
  5. Remove suhosin.patch line (it’s near the bottom of the file).
  6. If you never built a debian package before: sudo apt-get install devscripts
  7. Change version number (DO NOT PUT THE WORD suhosin in the version name): debchange -v 5.2.4-2ubuntu6~customName
  8. When you get presented with the nano text editor, just type something like “Hopefully removed Suhosin”, and press Ctrl+X and Enter to save.
  9. Build (this takes a while):  debuild
  10. The .deb packages should be in the folder if done correctly:   ls -l ../*.deb
  11. Quick install:  sudo dpkg -i ../*.deb

This recompiled php for me and the extensions and setting that were already installed were untouched.

6 Responses

  1. humantropy » Suhosin patch should not be installed by default in Ubuntu

    April 30th, 2009

    [...] Suhosin patch is applied to PHP by default. There’s no way to opt out of it. Here’s a great blog post showing how to put it together without  it. Turns out there is php5-suhosin the package, and then [...]

  2. Developer’s Kanundrum » Blog Archive » Upgrading Ubuntu Feisty Fawn (7.04) to Hardy (8.04 LTS)

    May 1st, 2009

    [...] (if you had that installed) because the suhosin patch is installed by default in this version. See this post for help with getting a non-suhosin version of php [...]

  3. mseymour

    February 26th, 2010

    I am trying to remove the suhosin patch per your instructions above, but something is not working. For starters when I do the apt-get source php5 it pulls down a tar file php5_5.2.4.orig.tar.gz that when unziped creates a php-5.2.4 directory but there is no debian directory in the structure.

    My guess is that there has been some type of update to the files, but I can not find any .patch files.

    Any thoughts?

  4. Austin Burbridge

    May 16th, 2010

    Thanks for posting this — baking the (defective) suhosin patch into the PHP distro was an error, which presented nothing but unpleasant alternatives for those of us whose Web services were disrupted by spurious “canary” errors.

    I followed the instructions. OK with only a couple of problems:

    Step 8 “Hopefully removed Suhosin” provoked an error: parsechangelog/debian: warning: debian/changelog(l3): badly formatted heading line
    LINE: Hopefully removed suhosin
    … were the quotation marks part of the text to be written?, Never mind; I just deleted the remark.

    Step 9 needed sudo

    Right now I’m waiting for Step 9 to complete — fingers crossed!

  5. Austin Burbridge

    May 16th, 2010

    … Build failed!

    > dpkg-deb: building package `php-pear’ in
    > `../php-pear_5.2.4-2ubuntu8~nopatch_all.deb’.
    > dpkg-genchanges parsechangelog/debian: warning:
    > debian/changelog(l9): badly formatted heading line
    > LINE: “Hopefully removed suhosin” dpkg-genchanges:
    > not including original source code in upload
    > dpkg-buildpackage (debuild emulation): binary and
    > diff upload (original source NOT included) Now
    > signing changes and any dsc files… signfile
    > php5_5.2.4-2ubuntu8~nopatch.dsc User Name
    > gpg: WARNING: unsafe ownership on
    > configuration file `/home/user/.gnupg/gpg.conf’
    > gpg: WARNING: unsafe ownership on configuration
    > file `/home/user/.gnupg/gpg.conf’ gpg: keyring
    > `/home/user/.gnupg/secring.gpg’ created gpg:
    > skipped “User Name “: secret
    > key not available gpg: [stdin]: clearsign failed:
    > secret key not available debsign: gpg error
    > occurred! Aborting…. debuild: fatal error at
    > line 1174: running debsign failed

    I wish I knew how to fix the gnupg thing! Any suggestions? Please

  6. Austin Burbridge

    May 16th, 2010

    Tried again, here’e what it says

    $ mkdir work && cd work && apt-get source php5 && cd php5-5.2.4
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Need to get 9870kB of source archives.
    Get:1 http://archive.ubuntu.com hardy-updates/main php5 5.2.4-2ubuntu5.10 (dsc) [1971B]
    Get:2 http://archive.ubuntu.com hardy-updates/main php5 5.2.4-2ubuntu5.10 (tar) [9705kB]
    Get:3 http://archive.ubuntu.com hardy-updates/main php5 5.2.4-2ubuntu5.10 (diff) [162kB]
    Fetched 9870kB in 5s (1691kB/s)
    gpg: new configuration file `/home/user/.gnupg/gpg.conf’ created
    gpg: WARNING: options in `/home/user/.gnupg/gpg.conf’ are not yet active during this run
    gpg: Signature made Wed Jan 6 21:24:27 2010 UTC using DSA key ID 40B8CCDA
    gpg: Can’t check signature: public key not found
    dpkg-source: extracting php5 in php5-5.2.4
    dpkg-source: unpacking php5_5.2.4.orig.tar.gz
    dpkg-source: applying ./php5_5.2.4-2ubuntu5.10.diff.gz

    Clearly the lack of a public key is the problem. But I don’t know how to get around it or to make a public key with gnupg — I mean the problem is, I do not know what “user id” it thinks it needs.

Leave a Reply