PHAR RFC

[theofidry]

This is a meta document to keep track of what could be submitted to PHP core.

Deprecate the OpenSSL signature.

As explained here, the PHAR signature provides no guarantee whatsoever and the OpenSSL signature is especially bad as it it:

• requires to handle a private key + prompt on Box (or any other bundler) side
• requires to always have the .asc file to have the PHAR working, making it a lot less convenient to use.

Allow to set the timestamp of the PHAR

Make https://github.com/Seldaek/phar-utils obsolete.

Metadata/Manifest

Deprecate the Metadata

See #1152.

TL:DR;

• No known good use case of the PHAR metadata.
• It requires to load the PHAR in the first place (not ideal).
• SBOMs is now the de-facto standard.

Provide a new method to retrieve the manifest

Since we have industry standards as SBOM or libraries like Manifest, it could make sense to have a Phar::getManifest() method.

Compression algorithm

New compression algorithms

• Brotli with php-ext-brotli – Add Brotli as a compression option #455
• XZ – Provide XZ compression #211
• Maybe more?

Supported Compression Algorithms

API wise the following is missing:

• get the exhaustive list of compression algorithms supported by PHP
• get a human readable name for a given compression algorithm
• get the compression algorithm value to use for the PHAR API
• whether the compression algorithm is available (i.e. the required extension is installed)
• getting the name of the required extension

Box uses KevinGH\Box\Phar\CompressionAlgorithm but it does not cover the entirety of it.

Usage of the compression algorithm

There is two issues:

• When the compression algorithm is none, you cannot call compressFiles and instead need to call decompressFiles.
• Poor error handling when the compression fails.

The relevant Box code is:

try {
    if (CompressionAlgorithm::NONE === $compressionAlgorithm) {
        $this->phar->decompressFiles();
    } else {
        $this->phar->compressFiles($compressionAlgorithm->value);
    }
} catch (BadMethodCallException $exception) {
    $exceptionMessage = 'unable to create temporary file' !== $exception->getMessage()
        ? 'Could not compress the PHAR: '.$exception->getMessage()
        : sprintf(
            'Could not compress the PHAR: the compression requires too many file descriptors to be opened (%s). Check your system limits or install the posix extension to allow Box to automatically configure it during the compression',
            $this->phar->count(),
        );

    throw new RuntimeException($exceptionMessage, $exception->getCode(), $exception);
}

[theofidry]

To format:

# Document to write ideas of what should be in PHP src

## Extension name

From PackageInfo / Extension

// Some extensions name differs in how they are registered in composer.json
// and the name used when doing a `extension_loaded()` check.
// See https://github.com/box-project/box/issues/653.
private const EXTENSION_NAME_MAP = [
    'zend-opcache' => 'zend opcache',
];

## (unrelated) Propose ::create(...) or ::__construct(...) or Foo(...) (i.e. the classname)

[theofidry]

• PharInfo
• PharDiff
• PharFactory

[theofidry]

Form #1534 the order of the files matters, which makes it harder to create deterministic builds and also means we need a way to account for it when doing a PHAR diff.