From owner-freebsd-ports@freebsd.org Fri Aug 16 07:44:19 2019 Return-Path: Delivered-To: freebsd-ports@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91342C314A for ; Fri, 16 Aug 2019 07:44:19 +0000 (UTC) (envelope-from SRS0=d7Iv=WM=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 468wLp4YZCz3QDy for ; Fri, 16 Aug 2019 07:44:17 +0000 (UTC) (envelope-from SRS0=d7Iv=WM=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 09DFC28417; Fri, 16 Aug 2019 09:44:16 +0200 (CEST) Received: from illbsd.quip.test (ip-62-24-92-232.net.upcbroadband.cz [62.24.92.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id EF06128416; Fri, 16 Aug 2019 09:44:14 +0200 (CEST) Subject: Re: PHP version retirement To: =?UTF-8?Q?Martin_Waschb=c3=bcsch?= , FreeBSD Ports References: <97336C1A-6743-462B-984A-6C513A5B9CED@prime.gushi.org> <57D05F4F-9379-4760-8BEE-7B432A6008DE@waschbuesch.de> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Fri, 16 Aug 2019 09:44:14 +0200 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <57D05F4F-9379-4760-8BEE-7B432A6008DE@waschbuesch.de> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 468wLp4YZCz3QDy X-Spamd-Bar: ++++ Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of SRS0=d7Iv=WM=quip.cz=000.fbsd@elsa.codelab.cz has no SPF policy when checking 94.124.105.4) smtp.mailfrom=SRS0=d7Iv=WM=quip.cz=000.fbsd@elsa.codelab.cz X-Spamd-Result: default: False [4.88 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; NEURAL_SPAM_SHORT(0.87)[0.873,0]; IP_SCORE(0.92)[ip: (0.49), ipnet: 94.124.104.0/21(0.24), asn: 42000(3.80), country: CZ(0.08)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(0.96)[0.956,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; TO_DN_ALL(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; NEURAL_SPAM_LONG(0.93)[0.932,0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=d7Iv=WM=quip.cz=000.fbsd@elsa.codelab.cz]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=d7Iv=WM=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Aug 2019 07:44:19 -0000 Martin Waschbüsch wrote on 2019/08/16 09:27: > Thank you for your input. > While I agree that PHP, in general, has been and still is a source of lots of security issues, I do not think this is the central point in this debate. > There might be a high probability of security issues that are PHP related for all I know, but again, the real question is: > > Why drop a package that has just had recent security updates after a couple of weeks? > > I pointed out that I do not think lack of upstream development is in and of itself sufficient grounds for doing so. At the very least, while it may be unwise to use a now obsolete version of PHP, I doubt if an argument along the lines of 'We removed this from ports. It's for your own good' is a very good one. (For a number of reasons). +1 > The only other arguments I got so far seem to be about resources. I can understand that. With limited resources you have to prioritize and something will have to give. > Now, in a reply to Adam, I asked specifically if there were pointers that would help me evaluate how much effort is really involved. > (My working theory being that I so far underestimate the work required to do this.) The effort to keep 5.6 in a tree for a few more months would be ... very little. It was done in quaterly branch after 5.6 was removed from head branch. I did my own updated version of the port (and extensions) from 5.6.39 to 5.6.40 without any issues - running on couple of machines till this day. > Also, I asked if people were open to letting a group of people interested in doing so continue to maintain an old version of php so that it does not have to be removed from ports. > Kurt suggested that as a feasible way forward and I agree. > Earlier, Adam seemed open to discussing a way forward as well, but I am not sure that still is the case. > Since I do not yet feel comfortable that I correctly estimate the amount of work, if enough people can be found to volunteer for this, but I remain hopeful. > > All this notwithstanding, would you be willing to exchange hints & ideas about securing (as far as possible) PHP setups some more, off-list? > I'd like to ask some more about your approach. You can put webserver, or just php-fpm inside jail and then just nullfs mount the directory tree with websites on partition with noexec mount flag .. to name a few. Kind regards Miroslav Lachman