Hi Guy! Am Freitag 05 Februar 2010 schrieb Guy.Baconniere@swisscom.com: > Problem: > I need to migrate some of our old servers from Etch to Lenny but I > cannot because PHP4 is only available on Etch and we have scripts > running on CLI and on Apache mod_php4 which are not compatible with > PHP5 (because class auto loader does not work, some calls and PEAR > modules are not backward compatible). Of course we have developpers > currently busy trying to port all apps from PHP4 to Java.. > > What is best having 100% of outdated packages or having 98% up to date > plus 2% PHP4* with big security holes ? > > Solution1: > Forward port PHP4 to Lenny and ask developper to speed up to remove 2% > => done. Trying as best to manage attacks on PHP4 using mod_security > etc. If you go this route, I recommend this: - Make a paper that you will not take responsibility for continued usage of PHP 4 under any circumstances. State it there, that staying with PHP 4 is against your recommendations and state why. Get that underwritten from your employer. Outrightly refuse to do any Lenny upgrades before you got that paper signed. I strongly recommend that for your own indemnification. If you employer is insane enough to sign this paper, at least he cannot make you responsible for any security breach that might come from it. - Setup a company private crap repository for the forward-ported package instead putting it up somehwere in the internet where it encourages other people to have their servers insecure. - Leave backports.org and any other Debian infrastructure alone with it. You are on your own. Even then I recommend checking this solution against your conscience. If you cannot feel good with such a hack and your employer insists that you do it anyway I strongly recommend to you to find a new employer. Cause then the employer does not respect your expertise as systems engineer at all. And FWIW: Adapting PHP applications from PHP 4 to 5 IMHO does not need a rewrite. Whether they are more secure with a simple adaption is another questions tough. Any unmaintained PHP application that processes user input, be it for PHP 4 or 5, is a security risk. > Solution2: > Do nothing and continue using Etch for a year.. Until the developpers > are ready.. So you can have a security hole in 100% of the system.. > > In any case in term of security you will always find a hole.. Etch, > Lenny.. It's a matter of number of software running, bugs, time, > exploits, -- IMHO thats not much more insecure at all. An outdated PHP 4 and more importantly outdated PHP web applications are such a big "come in, have fun!" sign to everyone with access to those servers that it isn't even funny anymore. > Solution3: > Using OpenVZ / Virtuozo, Chroot+GRSecurity, Xen, KVM, Vmware, etc. to > have a 100% outdated Etch for a year running as a "guest" on a 100% up > to date Lenny.. What is the point ?? What is the point in updating to Lenny when you most likely have a security hole with outdated PHP and PHP applications that is big enough for everyone to come in? What additional security will Lenny give you? None, IMHO, it just lures you into a false sense of being secure. Security of a system is defined by its weeked spot. If you have a city wall with a really big hole that one man - you - cannot defend against attackers, what is the point in having the other parts of the city wall still intact? I doubt that anything else in Etch can be more insecure than PHP 4 with outdated PHP applications. If it was some small hole that we talk of, maybe, but not with such a big one. Ciao, -- Martin 'Helios' Steigerwald - http://www.Lichtvoll.de GPG: 03B0 0D6C 0040 0710 4AFA B82F 991B EAAC A599 84C7
Attachment:
signature.asc
Description: This is a digitally signed message part.