[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Why do we still have this on the distribution?

Gunnar Wolf said:
> Adam: Is there a reason for keeping PHP3 in the archive?

It has users.  One of those users recently let me know that he continues
to use it, because it "just works".  For the curious, that user also
happens to be a member of the security team.  I won't reveal his name, in
case he prefers not to deal with the embarassment of running something as
unhip as an old version of PHP.

> Is there a real reason to keep carrying this cruft? I understand the
> packages are not (or don't appear to be) buggy... However, their bits are
> rotting. They are not widely used anymore, and they might have all sorts
> of problems that do not get detected. I don't know if patches for the php4
> modules are backported (if the problem exists, of course) for older php3
> modules.

It will certainly suffer bitrot, as many (MANY) packages in Debian do.  I
do, however, still attend to bug reports about the packages, and backport
security fixes for vulnerabilities found in php4 that are also present in
php3.  Heck, I even occasioanlly look at non-security bugs and toss those
around a bit.  This is probably more than one can so for maintainers of
many packages with active upstreams.

Someone in this thread mentioned that "upstream doesn't send us patches
for php3, so how will we know how to fix stuff?!".  Well, guess what? 
They often don't send us patches for php4 either (and wouldn't/won't for
php5).  The argument that "upstream doesn't deliver us neat and tidy
security updates for our source packages" would probably invalidate 95% of
our archive.  Maybe not a bad idea. ;)

At any rate.  I will petition for php3's removal when I'm bored with it,
when someone else backs me into a corner to do so, or when I'm convinced
no one uses it or cares about it anymore.

... Adam

Reply to: