0
Welcome Guest! Login
0 items Join Now

Deprecating Support for PHP 5.4 is Premature for CentOS 7

Last Post
Search Topic

  • Deprecating Support for PHP 5.4 is Premature for CentOS 7

    Posted 8 years 5 months ago
    • The current release of CentOS 7 is 7.2. At the present time, a warning is being shown:
      You are currently running PHP 5.4.16 which will soon no longer be supported by Gantry. Please upgrade as soon as possible. More Details.

      I've posted a comment to gantry.org/blog/php54-end-of-support that essentially says that support should not be withdrawn until there is actually a possibility for a package update using the distro-approved update mechanism. From an IT perspective, patching an OS with third-party software is frequently not permitted as this can destabilize a server.

      The post seems to not be visible there, so I'm posting it below.

      For CentOS 7.2 users, note that RHEL distros use backporting to apply security fixes. The numbering of the package is NOT an indicator that the package has vulnerabilities. For that, you can do "rpm -q --changelog php | grep CVE". See: access.redhat.com/security/updates/backporting

      The most recent release (as of November 5, 2016) of the php package for CentOS 7 is php-5.4.16-36.3.el7_2.x86_64.rpm, last modified on July 22, 2016 and fixes CVE-2016-5385.

      Given backporting, the support dates in the table above are misleading as they do not reflect operating system support, but package developer support. From an IT perspective, support is managed at the OS level and it can be unacceptable to take packages from sources other than the OS distro provider. The table above is taken from: php.net/supported-versions.php

      Given that CentOS and enterprise distributions favor long-term support for releases, it does not make sense to me for Gantry to not work harmoniously with these major providers and coordinate end of life with them. Now, speaking practically, note that CentOS 7 (including the current 7.2) has an end-of-life date of Jun 2024. This demonstrates real commitment to long-term support. However, I can understand that Gantry does not have the staff necessary to undertake similar enterprise-grade long-term support.

      What I do think is that Gantry should not end-of-life PHP (or other required packages) until there is an available replacement that is available thru the major CentOS (Ubuntu, etc.) supported release channels. That is, one should NOT have to go to some third-party provider to try to upgrade PHP to a newer release to satisfy Gantry while taking the risk that such an installation might destabilize the operating system itself.

      I am hoping that CentOS 7.3 should be out soon (as Red Hat released 7.3 on November 3, 2016) and that the PHP included in the 7.3 release will be within Gantry's supported versions.

      Again: I encourage Gantry to withdraw support ONLY when major OS distro channel updates are available. To require non-standard upgrades to an OS otherwise causes unnecessary confusion and difficulty for IT staff.
    • Last Edit: 8 years 5 months ago by Steve Amerige.
    • Steve Amerige, Server Science Incorporated
      Server Leasing | Web Software Development | User Experience & Graphic Design
      Managed Services, Website, Java, and Source-Code Hosting
    #1322967
    • MrT's Avatar
    • MrT
    • Preeminent Rocketeer
    • Posts: 101084
    • Thanks: 13484
    • Web Designer/Developer

    Re: Deprecating Support for PHP 5.4 is Premature for CentOS 7

    Posted 8 years 5 months ago
    • First of all we haven't yet withdrawn support. What we've done is given notice that we intend to withdraw support from Gantry 5.5 onwards (which we haven't reached yet). The reason for with drawing support is:

      1. we are will use features of PHP only available in more modern versions
      2. the newer version of PHP are considerably faster and are more secure - allowing us to build better products.
      3. From the link you have provided the table shows that php5.4 and php5.5 are no longer supported and there are no longer any security fixes being provided for these releases from php.net. Given that cybercrime is on the increase, it would seem extremely wise to update to a version of PHP that is supported and for which security fixes are provided.

      I would also add that If you want to stick with your old version of PHP that you don't have to upgrade Gantry - you can leave that on an old version too.

      I thank you for your comments though and I will share them with our Developers.

      Regards, Mark.
    • Please search forums before posting. Please make sure your post includes the version of the CMS you are using and a link to the problem. Annotations on screenshots can also be helpful to explain problems/goals. Please use the "secure" tab for confidential information.
    #1323050

  • Re: Deprecating Support for PHP 5.4 is Premature for CentOS 7

    Posted 8 years 5 months ago
    • While php.net might not provide security fixes directly, they are providing fixes to OS providers such as CentOS. The delivery channel is CentOS.org, NOT php.net.

      It would create total havoc if a package provider could determine end-of-life for an operating system. Packages will continue to be updated with CVE fixes until end-of-life of the operating system platform, not the end-of-life of the package provider. It is for this reason that it is very important for Gantry to not end support for packages until the operating system delivery channel has an upgrade path. Corporate IT admins take updates from the operating system delivery channel to mitigate risk of destabilization when upgrading packages.
    • Steve Amerige, Server Science Incorporated
      Server Leasing | Web Software Development | User Experience & Graphic Design
      Managed Services, Website, Java, and Source-Code Hosting
    #1324329
    • Matias Griese's Avatar
    • Matias Griese
    • Sr. Rocketeer
    • Posts: 249
    • Thanks: 104
    • Lead Developer

    Re: Deprecating Support for PHP 5.4 is Premature for CentOS 7

    Posted 8 years 5 months ago
    • Aside the reasons which were already mentioned earlier, there are really two main reasons of dropping PHP 5.4 support.

      The first reason is that the most important libraries which we are using (Symfony, Whoops) have already dropped PHP 5.4 support long time ago and are not providing (or are about to stop providing) fixes for the older versions which still supported PHP 5.4. So there are two choices for us: either to support PHP 5.4 or PHP 7.1. We just cannot get both without maintaining our own version of those libraries.

      The second reason is that even if CentOS does provide security fixes, it doesn't really provide bug fixes. This is true especially with APC, which has been unmaintained for years and is really buggy. It basically causes Gantry not to work in WordPress when APC has been enabled as it randomly breaks the site. There have been a lot of other bugs too, which go away by just upgrading PHP. Unfortunately many of these bugs cannot be reproduced in my own computer even if I'm using the same version of PHP. As PHP 5.5 has a lot less issues, it really saves our time not to track down known PHP bugs and try to work around them.

      If CentOS is still using PHP 5.4 with no alternatives, its really the last distribution doing that. I've stopped using RedHat/CentOS years ago and I'm now using either Debian or Ubuntu, which both come with PHP 7.0 installed by default. In fact Gantry is being developed in Ubuntu as I'm mainly Linux user myself. Also CentOS not coming with latest PHP isn't a bad issue as most servers are running Plesk or CPanel, which provide their own updated Apache environments. Many hosting providers also have their own repositories with later PHP versions available for their users to use.

    • The following users have thanked you: MrT

    • Gantry 5, enjoy!
    #1325343

Time to create page: 0.059 seconds