Hosting Provided By

Re: [gentoo-server] PHP4

From: Lindsay Haisley <fmouse-gentoo(at)fmp.com>
Date: Tue Jan 22 2008 - 13:12:34 EST

On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
> So...you know enough to run your ISP on Gentoo (at least I'd hope so), but you
> think that the ebuilds being removed from portage will mean you can no longer
> have php4? If you really want to keep it, stick the ebuilds in an overlay and
> stop complaining.
>
> Gentoo is removing the php4 ebuilds from the tree, because it won't be
> security-supported by upstream very shortly. Gentoo doesn't have the manpower to
> do security backports and such....we just bump to the next version. Until you're
> paying to use Gentoo, please don't complain about how the distro does things.
> Especially when the complaint it "stupid".

Andrew, please be moderate in your responses. We're all doing the best we can with a complex technology. Information and sound analysis help. Sarcasm and insulting words don't. This is a technical forum.

Yves, the bottom line here is that PHP4 has been found by the upstream PHP developers to have security flaws that aren't easily addressed, and probably won't be. Many distributions, not just Gentoo are dropping support for it since the upstream development focus has switched to PHP5 and PHP6.

Some of your customers may have issues with their scripts and PHP5, but having done this upgrade as a consultant to a programmer with a major, very OO PHP-based research software system, my observation is that the problems are probably relatively minor and easily fixed. Two things to remember:

It's important to take a good look at the php.ini files for both PHP4 and PHP5 and make sure that all the options which might affect script execution are compatible.
It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and PHP5 on the same system and use either one on a per-directory or per-file basis, so you can switch potentially problem customers over to PHP5 one by one.

My guess is that upgrading globally to PHP5 will affect a relatively small percentage of your customer base if php.ini synchronization is good. PHP5 is very backward compatible in most things. Your decision and your actions must also depend on your evaluation of the security risks, and how the value of your work in maintaining PHP4 and dealing with possible security breaches balances against the work involved in upgrading to PHP5 and helping your customers with possible scripting issues.

There are a lot of ways to maintain an obsolete package, the simplest of which is to download the upstream developers' source package and build and install it outside of Gentoo - not advisable but very doable.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | 
http://pubkeys.fmp.comhttp://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Received on Tue Jan 22 13:13:16 2008

This message: [ Message body ]
Next message: Yves Thommes: "Re: [gentoo-server] PHP4"
Previous message: RijilV: "Re: [gentoo-server] PHP4"
In reply to: Andrew Gaffney: "Re: [gentoo-server] PHP4"
Next in thread: Yves Thommes: "Re: [gentoo-server] PHP4"
Reply: Yves Thommes: "Re: [gentoo-server] PHP4"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Mon Jun 16 2008 - 17:41:27 EDT