Re: Packages not supportable in squeeze-lts
On Fri, May 16, 2014 at 11:30:51AM +0200, Jan Ingvoldstad wrote:
> On 16. mai 2014, at 11:17, Matt Palmer <mpalmer@debian.org> wrote:
> > I expect servers running PHP to be a significant part of the squeeze
> > LTS-using "cohort".
> 
> Regrettably, this is my/my employer's interest in the matter as well. :)
I guess we get to toss for who wants to do the PHP security updates, then. 
<grin>
> >  As much as it pains me to say it, I think I'd end up
> > spending time supporting this PHP version for security updates if any came
> > up (work lets me do this on company time, so yeah...).  I totally understand
> > if Wordpress/Joomla/anyone sane wanted to drop support for PHP 5.3 in their
> > PHP-using application, though.
> 
> It would be nice, though, if PHP 5.3-current could be supported. I think
> that PHP is by the very nature of how its developers treat it, a volatile
> package that cannot reasonably be frozen at a given version.
Yeah, they don't have a sterling history of sticking to "patches in patch
releases".  Unfortunately, it's for that reason that I'd want to stick with
5.3.3 for LTS, rather than moving to 5.3.28.  There's a non-zero chance that
*something* was changed in there that's going to break some customer's site,
and that's not cool.
> For the most part, we have been able to address user/customer concerns by
> noting that we use Debian's packaged version, where security patches are
> backported, and therefore that version is reasonably safe.
Yeah, version-checking audit tools suck.
> However, after Joomla! 3.3 came, 5.3.10 is required, and yes, they check
> the version number.
> 
> I suspect this is due to feature change and (rather important) bugfixes
> that have been made in the early days of PHP 5.3.
Quite likely.  For me in those situations, though, it's much easier to talk
the customer into taking the risk of upgrading to wheezy, or getting a
second machine running wheezy for their new site.
> For wheezy, I'm sticking to the most recent versions of PHP 5.5.x, and not
> using the standard Debian packages of 5.4 – there appears to be no sane
> reason to want to stick to 5.4.  But that's another debate.  :)
Yeah, we've done some custom packaging of PHP versions for customers over
the years, but it's always come with the explicit caveat that it's
unsupported, won't get any automated security patching, and if it *does*
need to be patched, it'll be upgraded to a later PHP release with all the
risks that entails.  Some customers are OK to wear the risk, some aren't. 
That's a different story, though, to the vast majority of customers I just
want to keep safe on a version of PHP that's doing just fine for them and
their sites, which typically they want to not have to worry about (that's
*our* job, after all...).
- Matt
Reply to: