Bug#1033492: unblock: php8.2/8.2.4-1 ????
Hi Paul, Salvatore,
I've finally got some time here.
In all honesty, I thought that the pre-negotiated exception for PHP
does apply to all future Debian releases, so it did come as surprise
that I have to explain this again.
The quality of PHP in Debian has increased since we started using
upstream versions to fix security bugs.
The basic release policy is described here:
https://www.php.net/supported-versions.php
> Each release branch of PHP is fully supported for two years from its initial stable release. During this period, bugs and security issues that have been reported are fixed and are released in regular point releases.
>
> After this two year period of active support, each branch is then supported for an additional year for critical security issues only. Releases during this period are made on an as-needed basis: there may be multiple point releases, or none, depending on the number of reports.
>
> Once the three years of support are completed, the branch reaches its end of life and is no longer supported. A table of end-of-life branches is available.
There's also a process for introducing new features to the **major** releases:
https://wiki.php.net/rfc, but that doesn't apply here as we are sticking with a single **major** release branch (PHP 8.2); no new features are introduced to the single release track.
Upstream makes a new release every four weeks (
https://www.php.net/ChangeLog-8.php#8.2.4), but we generally only update to the releases that contain security fixes, and I don't use PU process to lighten the strain on the release team.
Apart from the upstream release process, all the PHP releases are regularly tested via external repositories that I maintain, so even the intermediate releases are thoroughly tested by hundreds of thousands or more - the Debian repository has 5+ TB of traffic and 150M+ hits; I have no statistics from the deployment, but any breakages are very quickly reported.
When the upstream security support ceases, I generally use Remi Collet's php-security repository to pull the security fixes for the last upstream release, as he's usually swift in preparing those.
Unblocking the latest php8.2 (8.2.4-1 and 8.2.5-1 next week) would be appreciated so the next Debian stable releases with the current PHP version.
Cheers,
Ondrej
On Tue, Mar 28, 2023, at 20:46, Salvatore Bonaccorso wrote:
Hi Paul,
On Sun, Mar 26, 2023 at 01:40:10PM +0200, Paul Gevers wrote:
> Hi Ondřej,
>
> On 26-03-2023 08:36, Ondřej Surý wrote:
> > just a quick reply - PHP already has a security (and if I remember correctly release) team exception from the last time. So, we already had this talk about upstream policies.
>
> I *suspect* the same, but because of the shear amount of work ongoing for
> the release team at the moment, I hope people can help point to the relevant
> information instead of us needing to find it.
>
> It can obviously wait a couple of days, we're not *that* close to releasing
> yet.
if this helps on the decision: We would, similarly as done for
bullseye already, want to follow the upstream releases until supported
by upstream and then switch to cherry-pick security fixes only on top.
Ondrej can give a more detailed input, so please wait for his reply.
Regards,
Salvatore
--
Ondřej Surý (He/Him)
ondrej@sury.org
Reply to: