Re: PHP Support in Debian
- Date: Tue, 16 Oct 2018 12:04:18 -0400
- From: Roberto C. Sánchez <roberto@xxxxxxxxxx>
- Subject: Re: PHP Support in Debian
I can only speak to the sitaution of PHP 5.6 (in jessie) and 5.4 (in
wheezy). The support for 5.6 is under the auspices of the LTS team,
while the support for 5.4 is under the auspices of the Extended LTS
On Tue, Oct 16, 2018 at 05:06:06PM +0200, Bernd Zeimetz wrote:
> we (as in several customers and I) are wondering about the status
> of php support in Debian.
> * According to http://php.net/supported-versions.php upstream
> security support for 5.6 (jessie) and 7.0 (stretch) will be gone
> soon. Is it possible to support these versions properly for our
> users as long as there is security/LTS support for our releases?
I prepared the last three PHP 5.6 updates for jessie/LTS (5.6.36,
5.6.37, and 5.6.38) as well as the last two PHP 5.4 updates for
wheezy/ELTS (5.4.45-0+deb7u15 and 5.4.45-0+deb7u16). My experience with
those updates has been that new security-specific upstream releases (as
the last few 5.6 releases have been) make it easy to identify specific
security fixes and backport them even further (e.g., 5.6 to 5.4).
My expectation would be that 7.1.x upstream security releases will
continue the trend and that identifying the specific security fixes will
continue to be straightforward. That said, I suspect that backporting
security fixes may become more challenging with time because of
significant differences between 5.6 and 7.1.
Still, the LTS team supports various packages which no longer have
official upstream security support. If the burden becomes too great, I
expect that the team will evaluate the options and consider delcaring
php5.6 in jessie end-of-life (as is done with some other packages which
cannot feasibly be maintained in jessie).
That is perhaps not the solution you were seeking.
> * Lots of applications require php 7.1 or 7.2 these days. As
> there is no official backport, the only option right now is
> to use CentOS with SCLs. I know that there is
> https://deb.sury.org - but prefer to trust stuff that was
> built on Debian machines and is distributed/signed with a
> key we trust.
I have encountered this same situation and have resorted to backporting
packages from testing/unstable myself :-/
> Will there be a proper solution for that soon?
I hope that there will be.
Roberto C. Sánchez