Fwd: Status of PHP support in stretch

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Status of PHP support in stretch

Jochen Spieker
Hi,

I originally sent this to debian-user and did not receive any replies
there. I thought I should retry here and maybe get a (more or less)
official response.

Regards,
Jochen.

----- Forwarded message from Jochen Spieker <[hidden email]> -----

I noticed that PHP 7.0 is unsupported by upstream since the beginning of
2019:

https://secure.php.net/supported-versions.php

The most recent PHP version in stretch is, as of now, 7.0.33-0+deb9u1.
As far as I can tell, this is (roughly) the same as upstream 7.0.33 and
not a relabeled later upstream version and it does not contain
significant backports from later upstream versions.

Do I need to assume that PHP 7.0 in Debian is now only
security-supported by Debian alone? Is any DD close enough to upstream
to be able to at least backport new fixes from 7.1 and later if
necessary?

I found https://deb.sury.org/ which appears to be run by a DD[1]. But I
noticed that this version of PHP pulls in a different version of openssl
which rang some alarm bells with me. I would very much prefer something
more official, e.g. backpors.debian.org.

So, what do you do with your stretch servers running PHP now? Pray for
good support in Debian, upgrade to 3rd party packages? Upgrade to buster
already?

Regards,
Jochen.

[1] FWIW, the PGP key used for the repository (AC0E47584A7A714D) is
    signed by Ondřej Surý (0C99B70EF4FCBB07) which, in turn, is
    signed by 184 keys fro debian-keyring. The WoT probably does not get
    better than that.

----- End forwarded message -----

--
If I was a supermodel I would give all my cocaine to the socially
excluded.
[Agree]   [Disagree]
                 <http://archive.slowlydownward.com/NODATA/data_enter2.html>

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Status of PHP support in stretch

Ondřej Surý-4
I still don’t understand why everybody suddenly thinks PHP is special
in any way.  The packages will be treated same as any other Debian
package - the important security fixes will be backported.

Ondrej

> On 8 Feb 2019, at 22:06, Jochen Spieker <[hidden email]> wrote:
>
> Hi,
>
> I originally sent this to debian-user and did not receive any replies
> there. I thought I should retry here and maybe get a (more or less)
> official response.
>
> Regards,
> Jochen.
>
> ----- Forwarded message from Jochen Spieker <[hidden email]> -----
>
> I noticed that PHP 7.0 is unsupported by upstream since the beginning of
> 2019:
>
> https://secure.php.net/supported-versions.php
>
> The most recent PHP version in stretch is, as of now, 7.0.33-0+deb9u1.
> As far as I can tell, this is (roughly) the same as upstream 7.0.33 and
> not a relabeled later upstream version and it does not contain
> significant backports from later upstream versions.
>
> Do I need to assume that PHP 7.0 in Debian is now only
> security-supported by Debian alone? Is any DD close enough to upstream
> to be able to at least backport new fixes from 7.1 and later if
> necessary?
>
> I found https://deb.sury.org/ which appears to be run by a DD[1]. But I
> noticed that this version of PHP pulls in a different version of openssl
> which rang some alarm bells with me. I would very much prefer something
> more official, e.g. backpors.debian.org.
>
> So, what do you do with your stretch servers running PHP now? Pray for
> good support in Debian, upgrade to 3rd party packages? Upgrade to buster
> already?
>
> Regards,
> Jochen.
>
> [1] FWIW, the PGP key used for the repository (AC0E47584A7A714D) is
>    signed by Ondřej Surý (0C99B70EF4FCBB07) which, in turn, is
>    signed by 184 keys fro debian-keyring. The WoT probably does not get
>    better than that.
>
> ----- End forwarded message -----
>
> --
> If I was a supermodel I would give all my cocaine to the socially
> excluded.
> [Agree]   [Disagree]
>                 <http://archive.slowlydownward.com/NODATA/data_enter2.html>

Reply | Threaded
Open this post in threaded view
|

Re: Status of PHP support in stretch

Jochen Spieker
Hi Ondřej,

thanks for chiming in.

Ondřej Surý:
>
> I still don’t understand why everybody suddenly thinks PHP is special
> in any way.  The packages will be treated same as any other Debian
> package - the important security fixes will be backported.

I am not sure who you are addressing (I may have missed relevant
discussion about this question), but from my (not particularly well
informed) point of view, PHP is a big piece of software which plays a
critical role on many systems. Additionally, it is generally perceived
to be prone to security issues.

Debian has already dropped support for packages in stable in the past
when nobody felt able to support them. Kudos and many thanks to you if
you are able and willing to do so. I just do not think this can be taken
as a given under all circumstances. Hence my question.

Of course, the question remains what is going to happen with security
issues in 7.0 for which there is no backportable upstream fix.

J.
--
If I could travel in time I would show my minidisc to the Romans and
become Caesar until the batteries ran out.
[Agree]   [Disagree]
                 <http://archive.slowlydownward.com/NODATA/data_enter2.html>

signature.asc (849 bytes) Download Attachment