Date: Sat, 10 Aug 2019 10:53:51 +0000 From: Carmel NY <carmel_ny@outlook.com> To: FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: PHP version retirement Message-ID: <MWHPR04MB04950619F07BE48AFDD2033B80D10@MWHPR04MB0495.namprd04.prod.outlook.com> In-Reply-To: <CF1F28D6-1072-4BE6-B124-A97DE43FA4E6@waschbuesch.de> References: <CF1F28D6-1072-4BE6-B124-A97DE43FA4E6@waschbuesch.de>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/cDjvjqrdBdIhtAfhU869da1 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Sat, 10 Aug 2019 10:17:44 +0200, Martin Waschb=C3=BCsch stated: >Hi all, > >At least the last two versions of PHP, 5.6 & 7.0, were removed from >ports as soon as (or even shortly before) they were no longer actively >maintained upstream. I am unsure what the exact reasoning behind this >was, but I do not think it is a good idea moving forward: > >I suppose it is true that outdated & no longer supported versions of >PHP could be seen as a security risk. So far so good. > >However, if, for whatever reason (and I think there are legitimate >ones), I still need to use a now obsolete version of PHP, having them >removed from ports effectively makes it harder for me to keep >everything else up-to-date. I might have to stick with an old ports >revision so I cannot update other packages. If I just keep PHP as is, >and update other packages, I cannot easily switch to a new version of >FreeBSD itself, because I'd have to go back to an old revision of >ports (hopefully working with the OS version I updated to) to compile >PHP and then do other packages. Libraries / dependencies may change >and break my PHP, etc. So, on top of possible security concerns for >the outdated software I use, I basically get an overall less secure / >stable system to boot. > >Now, I am not suggesting we leave every old and outdated PHP version >in ports, but why remove a port just days after it received its last >security update upstream? (With PHP 5.6 it was actually removed from >ports before it got its last update upstream). > >Would it not be better to have, say, the last two versions before >current stable still in ports but with a huge disclaimer saying: use >at your own risk, etc.? > >What do y'all think? > >Martin If I might be allowed to interpolate, I believe that continuing to expose obsolete versions of software in the 'ports' system is a bad Idea. It is enabling the use of software, that for one reason or another has been superseded by a newer and possibly safer or more mature version. Usually, when a version or application is going to be removed from the 'ports' system, it is duly noted well in advance. I would recommend that we set a hard number, say 6 months or one year at max before said software is removed. That should give even the most procrastinating user ample time to render his/her system ready for that inevitability. It they have not accomplished that with the set time frame, they probably were never serious about doing it. Just my 2=C2=A2. --=20 Carmel --Sig_/cDjvjqrdBdIhtAfhU869da1 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEIQb/tTwl6I1ueEVtOHMGOIfexWQFAl1OojIACgkQOHMGOIfe xWT0EAf9G7U/4aVhd/jwlkwtTSMnxFcowF5iX5yuIfDBO2VUxrpPtJj9icpR/tOx GeMKHAcbLiArnfyXlgUXJVhHc5tQ+13sJYhLgPlgmgth6TXnERy3nSgxn6LcCVjJ CKfan0GWG7aCl76kwXW9OcJE0howNRMB3h/ilKQMfdHh9mBtLvZZPYamR0ot1tgp x2LfN427tshJUyZD4FCMEKEnUf+jcurl9Djrk36OSLorEyvHjKomI54E30n0oFK8 T7YveLB7EBjpsU6SRjwrorZQpqN+B5FfxbpIWjjoQZWqA4J+YQ5W1T918ARlXZSz xIbYwmBOqmIRB+G2xUNr+G5bHTwlEQ== =wTug -----END PGP SIGNATURE----- --Sig_/cDjvjqrdBdIhtAfhU869da1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MWHPR04MB04950619F07BE48AFDD2033B80D10>