Re: [gentoo-server] PHP4

[Yves Thommes <doc@foobar.lu>]

hey lindsay, thank you for your feedback.

i already was playing around a little bit with php4 and php5 concurrent 
installations and they worked very well.

what we've actually done so far was put all of the websites (about a 
dozen), which absolutely require php4 to run, on a dedicated box.
all other web servers have been running php5 only for several months now.
the problem with the deprecated php4 module ebuild would of course only 
affected this single box.

of course migrating a website from php4-only to php5-compatible software 
is mainly a political decision in my case.
i'm rather in a tight spot, management of course doesn't want to drop 
the customers and either the customer doesn't have the resources to pay 
for a migration, or maybe even the web-agency who developed the website 
several years ago has been put out of business or <insert any business 
reason you like> and we don't have the know-how ourselves to migrate the 
system.

so i only saw the situation from a system administrators point of view 
who only wanted to know of there was a possibility that the php4 ebuild 
would only be masked or if there was some other solutions (like local 
portage overlay, just as an example). you wouldn't believe how many 
customers would rather be ok to be hosted on a server where we could no 
more guarantee the security for their website because the technology 
used is no longer supported, than invest into a migration to a newer system.

the problem with the missing php4 ebuild is not about "no more php4 
security updates", i know that php4 support has been officially dropped, 
the problem would rather have been with dependencies i guess. and that's 
why i posted to this mailing list, just to get advice, i suppose that's 
one of the purposes of a mailing list.

thanks for your help, i guess i'll figure something out.


Lindsay Haisley wrote:
> On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
>   
>> So...you know enough to run your ISP on Gentoo (at least I'd hope so), but you 
>> think that the ebuilds being removed from portage will mean you can no longer 
>> have php4? If you really want to keep it, stick the ebuilds in an overlay and 
>> stop complaining.
>>
>> Gentoo is removing the php4 ebuilds from the tree, because it won't be 
>> security-supported by upstream very shortly. Gentoo doesn't have the manpower to 
>> do security backports and such....we just bump to the next version. Until you're 
>> paying to use Gentoo, please don't complain about how the distro does things. 
>> Especially when the complaint it "stupid".
>>     
>
> Andrew, please be moderate in your responses.  We're all doing the best
> we can with a complex technology.  Information and sound analysis help.
> Sarcasm and insulting words don't.  This is a technical forum.
>
> Yves, the bottom line here is that PHP4 has been found by the upstream
> PHP developers to have security flaws that aren't easily addressed, and
> probably won't be.  Many distributions, not just Gentoo are dropping
> support for it since the upstream development focus has switched to PHP5
> and PHP6.
>
> Some of your customers may have issues with their scripts and PHP5, but
> having done this upgrade as a consultant to a programmer with a major,
> very OO PHP-based research software system, my observation is that the
> problems are probably relatively minor and easily fixed.  Two things to
> remember:
>
> 1.  It's important to take a good look at the php.ini files for both
> PHP4 and PHP5 and make sure that all the options which might affect
> script execution are compatible.
>
> 2.  It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and
> PHP5 on the same system and use either one on a per-directory or
> per-file basis, so you can switch potentially problem customers over to
> PHP5 one by one.
>
> My guess is that upgrading globally to PHP5 will affect a relatively
> small percentage of your customer base if php.ini synchronization is
> good.  PHP5 is very backward compatible in most things.  Your decision
> and your actions must also depend on your evaluation of the security
> risks, and how the value of your work in maintaining PHP4 and dealing
> with possible security breaches balances against the work involved in
> upgrading to PHP5 and helping your customers with possible scripting
> issues.
>
> There are a lot of ways to maintain an obsolete package, the simplest of
> which is to download the upstream developers' source package and build
> and install it outside of Gentoo - not advisable but very doable.
>
>   

-- 
gentoo-server@lists.gentoo.org mailing list