PHP version retirement

Miroslav Lachman 000.fbsd at quip.cz
Fri Aug 16 07:44:19 UTC 2019 

Martin Waschbüsch wrote on 2019/08/16 09:27:

> Thank you for your input.
> While I agree that PHP, in general, has been and still is a source of lots of security issues, I do not think this is the central point in this debate.
> There might be a high probability of security issues that are PHP related for all I know, but again, the real question is:
> 
> Why drop a package that has just had recent security updates after a couple of weeks?
> 
> I pointed out that I do not think lack of upstream development is in and of itself sufficient grounds for doing so. At the very least, while it may be unwise to use a now obsolete version of PHP, I doubt if an argument along the lines of 'We removed this from ports. It's for your own good' is a very good one. (For a number of reasons).

+1

> The only other arguments I got so far seem to be about resources. I can understand that. With limited resources you have to prioritize and something will have to give.
> Now, in a reply to Adam, I asked specifically if there were pointers that would help me evaluate how much effort is really involved.
> (My working theory being that I so far underestimate the work required to do this.)

The effort to keep 5.6 in a tree for a few more months would be ... very 
little. It was done in quaterly branch after 5.6 was removed from head 
branch. I did my own updated version of the port (and extensions) from 
5.6.39 to 5.6.40 without any issues - running on couple of machines till 
this day.

> Also, I asked if people were open to letting a group of people interested in doing so continue to maintain an old version of php so that it does not have to be removed from ports.
> Kurt suggested that as a feasible way forward and I agree.
> Earlier, Adam seemed open to discussing a way forward as well, but I am not sure that still is the case.
> Since I do not yet feel comfortable that I correctly estimate the amount of work, if enough people can be found to volunteer for this, but I remain hopeful.
> 
> All this notwithstanding, would you be willing to exchange hints & ideas about securing (as far as possible) PHP setups some more, off-list?
> I'd like to ask some more about your approach.

You can put webserver, or just php-fpm inside jail and then just nullfs 
mount the directory tree with websites on partition with noexec mount 
flag .. to name a few.

Kind regards
Miroslav Lachman

More information about the freebsd-ports mailing list