On Aug 19, Charles Plessy <plessy@debian.org> wrote: > - PHP scripts can be executed by Apache httpd through libapache2-mod-php5 or > php5-cgi. Debian recommends libapache2-mod-php5, but there are still This is another issue which concerns me, since mod_php forces the use of preforking apache, which means that the server will either stop serving pages or OOM at the first hint of real traffic. (And obviously mod_php is wildly insecure for multitenants servers.) > thousands of installations wich report the use of php5-cgi according to the > Popularity Contest statistics. Yes, because sensible people who need PHP will try to use it as CGI/FastCGI (or FPM, finally in wheezy). > - This breaks the websites executing PHP scripts through php5-cgi, and > a solution is being be documented in the php5 package's NEWS file. > http://anonscm.debian.org/gitweb/?p=pkg-php/php.git;a=commitdiff;h=f7a6351c620075a9d2a551fbed38ea26919f0d94 I think that this entry is too mild/vague: - "including but possibly not limited to the Apache HTTPD Server": such a major issue justifies being specific about the affected packages - too many "may"s, while the entry should clearly state, maybe in caps, something like "this will almost certainly break your server if you use PHP as CGI/FastCGI, and also leak your source code and passwords" > This will interrupt upgrade of servers using php5-cgi, but to avoid surprises, > the rough consensus in #674089 is also to document the same information in the > release notes. I agree with the interrupting upgrades for such a major package is going to be annoying. I am also concerned that a *simple* solution to restore the old behaviour in a secure way is not provided: maybe php5-cgi should install a sensible default configuration in /etc/apache2/conf.d/ ? -- ciao, Marco
Attachment:
signature.asc
Description: Digital signature