Date: Fri, 16 Aug 2019 09:44:14 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> To: =?UTF-8?Q?Martin_Waschb=c3=bcsch?= <martin@waschbuesch.de>, FreeBSD Ports <freebsd-ports@freebsd.org> Subject: Re: PHP version retirement Message-ID: <b3be5e14-4a44-ff2c-e2c4-b10aca99934e@quip.cz> In-Reply-To: <57D05F4F-9379-4760-8BEE-7B432A6008DE@waschbuesch.de> References: <CF1F28D6-1072-4BE6-B124-A97DE43FA4E6@waschbuesch.de> <97336C1A-6743-462B-984A-6C513A5B9CED@prime.gushi.org> <57D05F4F-9379-4760-8BEE-7B432A6008DE@waschbuesch.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Martin Waschbüsch wrote on 2019/08/16 09:27: > Thank you for your input. > While I agree that PHP, in general, has been and still is a source of lots of security issues, I do not think this is the central point in this debate. > There might be a high probability of security issues that are PHP related for all I know, but again, the real question is: > > Why drop a package that has just had recent security updates after a couple of weeks? > > I pointed out that I do not think lack of upstream development is in and of itself sufficient grounds for doing so. At the very least, while it may be unwise to use a now obsolete version of PHP, I doubt if an argument along the lines of 'We removed this from ports. It's for your own good' is a very good one. (For a number of reasons). +1 > The only other arguments I got so far seem to be about resources. I can understand that. With limited resources you have to prioritize and something will have to give. > Now, in a reply to Adam, I asked specifically if there were pointers that would help me evaluate how much effort is really involved. > (My working theory being that I so far underestimate the work required to do this.) The effort to keep 5.6 in a tree for a few more months would be ... very little. It was done in quaterly branch after 5.6 was removed from head branch. I did my own updated version of the port (and extensions) from 5.6.39 to 5.6.40 without any issues - running on couple of machines till this day. > Also, I asked if people were open to letting a group of people interested in doing so continue to maintain an old version of php so that it does not have to be removed from ports. > Kurt suggested that as a feasible way forward and I agree. > Earlier, Adam seemed open to discussing a way forward as well, but I am not sure that still is the case. > Since I do not yet feel comfortable that I correctly estimate the amount of work, if enough people can be found to volunteer for this, but I remain hopeful. > > All this notwithstanding, would you be willing to exchange hints & ideas about securing (as far as possible) PHP setups some more, off-list? > I'd like to ask some more about your approach. You can put webserver, or just php-fpm inside jail and then just nullfs mount the directory tree with websites on partition with noexec mount flag .. to name a few. Kind regards Miroslav Lachman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b3be5e14-4a44-ff2c-e2c4-b10aca99934e>