[gentoo-dev-announce] Upcoming masking of dev-lang/php-4* and packages depending on it

[gentoo-dev-announce] Upcoming masking of dev-lang/php-4* and packages depending on it

[Christian Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 1706 bytes --]

Heya,

I'm going to p.mask =dev-lang/php-4* and all packages explicitly
depending on this version of php (i.e. the whole dev-php4/ category
(36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1])
next weekend (around Oct 14th). This step is necessary as there is
hardly any upstream activity anymore.

The last official version of php-4, 4.4.7, dates back to May 3rd and is
in the same state as php-5.2.2 security-wise (and we all know how many
issues php-5 had in the past, just have a look at the recently published
GLSA 200710-02 [2]).

All those security problems, which were fixed in the 5.2 branch,
possibly apply to the 4.4 branch as well, yet there are no (backported)
fixes in upstream CVS and there is no sign of an upcoming release
either.
This means, if we were to continue php-4 support we would have to do
the upstream work and compile a list of issues + patches. Upstream
developers seem to see it the same way -- "if you really want to get it
done - do it" was one reply when I asked what's up with php-4. Noone
from our PHP team has the time and motiviation to do that work, and as
such we are going to mask it (unless someone volunteers to do the work
and/or upstream becomes active again).

We will still keep php-4 (and all related packages) in the tree until at
least the end of the year (this is the date where official upstream
"support" ends) and bump it if (and not "when"...) there are any
releases.

We advise all users of of php-4 to upgrade to php-5 as soon as possible.

[1] https://bugs.gentoo.org/show_bug.cgi?id=194894
[2] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml

-- 
Christian Hoffmann
Gentoo PHP herd

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]