[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: php4 on Squeeze?

In <[🔎] AANLkTin+A446cEdM_cwRqavp4LadgFYdj0kYSHo-kHWU@mail.gmail.com>, Ed Curtis 
>Is there a way I can install php4 on my fresh install of Debian 6.0? I will
>also need many php4 mods such as gd, mysql, etc.

Okay, I hope the other three replies you got made this clear: Using PHP4 is 
dangerous, do not do it if you do not have to.  Even if you have to run PHP4 
for now, prioritize moving to PHP5 in the near future.

PHP4 was dropped from Debian (see bug 428266) on or around 2007-07-04, before 
Lenny was released.  This means that the master repository should no longer 
contain PHP4 packages.  However, Debian provides two different archival 
services that may allow you get .debs or even use an APT repository in order 
to install PHP4.

(Method 1.)  The most complete is snapshot.d.o.  It currently holds dozens of 
PHP4 versions <http://snapshot.debian.org/package/php4/>.  For the most 
recent version, a large number of binary packages were generated and are 
available <http://snapshot.debian.org/package/php4/6:4.4.6-2/>.  When 
installing PHP4 using this method, you will download .deb packages and 
install them using dpkg.  You will have to resolve dependencies manually, but 
dpkg will issue a warning that includes enough information for you to look up 
those packages on snapshot.d.o as well.

(Method 2.)  Less complete, but more familiar to some is archive.d.o.  Here, 
the last version of each Debian release is archived.  You can point apt to 
the Etch archive using a line like:
deb http://archive.debian.org/debian etch main
This service also holds a number of other Etch-related APT repositories that 
you might want to use when trying to run an Etch system.

When installing via APT, dependencies will be resolved automatically and 
pulled from any configured repository.  This allows you to try and mix Etch's 
PHP4 packages with Lenny's base system (which will still get security 
updates) or even Squeeze's kernel (which is fully supported by Debian 
Developers right now).  While just using Etch packages puts you beyond 
support, mixing releases can certainly cause its own trouble.

(Method 3.)  If you need a version that was in Debian testing or unstable, 
but was never in a released version of Debian and you still want to use APT 
to install packages, you'll go back to snapshot.d.o.  You might also do this 
if the version on archive.d.o has a regression in it.  archive.d.o just has 
the final state of the repository; snapshot.d.o saves old state as well and 
makes them easily accessible by date.

For example, you can use the following line to tell APT to get packages from 
Lenny the last time PHP4 was in it (when it was testing) -- 2007-05-29:
deb http://snapshot.debian.org/archive/debian/20070529 lenny main

A second example, you can use the following line to tell APT to get packages 
from Sid the last time PHP4 was in it -- 2007-05-01:
deb http://snapshot.debian.org/archive/debian/20070501 sid main

(Conclusion and Recommendation.)  Unless you have some specific need that you 
didn't mention in your original post, I recommend taking a working Lenny 
install and adding Etch from archive.d.o to the available sources.  Mixing 
Etch and Lenny shouldn't cause too many issues, and I think having security 
support for as many packages as possible (the ones you pull from Lenny) is 
important enough to balance those issues.  Even with that support, you'll 
want to step up the level of paranoia in your security practices around that 

You will need to migrate away from PHP4 in less than a year under this plan.  
Security support for Lenny will have run out by then.  Also, the Etch/Lenny 
mixture might continue to give you issues, but you'd lose the benefit of 
security support.  At that point, mixing Etch with anything with security 
support will be untenable.  If you want to have PHP4 available indefinitely, 
don't mix Lenny and Etch.  Just install Etch and be super-isolationist-
paranoid about that install; I'm pretty sure there are known attacks against 
some of the software that was in Etch.
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: