PHP version retirement

Carmel NY carmel_ny at outlook.com
Sat Aug 10 10:53:55 UTC 2019 

On Sat, 10 Aug 2019 10:17:44 +0200, Martin Waschbüsch stated:
>Hi all,
>
>At least the last  two versions of PHP, 5.6 & 7.0, were removed from
>ports as soon as (or even shortly before) they were no longer actively
>maintained upstream. I am unsure what the exact reasoning behind this
>was, but I do not think it is a good idea moving forward:
>
>I suppose it is true that outdated & no longer supported versions of
>PHP could be seen as a security risk. So far so good.
>
>However, if, for whatever reason (and I think there are legitimate
>ones), I still need to use a now obsolete version of PHP, having them
>removed from ports effectively makes it harder for me to keep
>everything else up-to-date. I might have to stick with an old ports
>revision so I cannot update other packages. If I just keep PHP as is,
>and update other packages, I cannot easily switch to a new version of
>FreeBSD itself, because I'd have to go back to an old revision of
>ports (hopefully working with the OS version I updated to) to compile
>PHP and then do other packages. Libraries / dependencies may change
>and break my PHP, etc. So, on top of possible security concerns for
>the outdated software I use, I basically get an overall less secure /
>stable system to boot.
>
>Now, I am not suggesting we leave every old and outdated PHP version
>in ports, but why remove a port just days after it received its last
>security update upstream? (With PHP 5.6 it was actually removed from
>ports before it got its last update upstream).
>
>Would it not be better to have, say, the last two versions before
>current stable still in ports but with a huge disclaimer saying: use
>at your own risk, etc.?
>
>What do y'all think?
>
>Martin

If I might be allowed to interpolate, I believe that continuing to
expose obsolete versions of software in the 'ports' system is a bad
Idea. It is enabling the use of software, that for one reason or
another has been superseded by a newer and possibly safer or more
mature version.

Usually, when a version or application is going to be removed from the
'ports' system, it is duly noted well in advance. I would recommend
that we set a hard number, say 6 months or one year at max before said
software is removed. That should give even the most procrastinating
user ample time to render his/her system ready for that inevitability.
It they have not accomplished that with the set time frame, they
probably were never serious about doing it.

Just my 2¢.

-- 
Carmel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20190810/b99ad7a4/attachment.sig>

More information about the freebsd-ports mailing list