Re: [gentoo-server] PHP4

[Georges Toth <georges@norm.lu>]

oops... :-P

Georges Toth wrote:
> Hi Yves,
> 
> Please excuse my off-list mail, but I don't want to get into a
> php4-keep-it-or-not discussion :-).
> 
> Taking that you are only dealing with a rather small amount of sites, it
> might be a good idea to switch to a different distribution which offers
> long time support over another couple of years and still includes php4.
> 
> The migration of the sites to that new server should be very smooth and
> everybody's happy ;-).
> It's also a lot easier than dealing with unsupported ebuilds and
> packages over a longer period.
> 
> A nice alternative to gentoo, with that LTS support, is e.g. debian 4.
> 
> 
> Good luck
> 
> 
> Yves Thommes wrote:
>> hey lindsay, thank you for your feedback.
>>
>> i already was playing around a little bit with php4 and php5 concurrent
>> installations and they worked very well.
>>
>> what we've actually done so far was put all of the websites (about a
>> dozen), which absolutely require php4 to run, on a dedicated box.
>> all other web servers have been running php5 only for several months now.
>> the problem with the deprecated php4 module ebuild would of course only
>> affected this single box.
>>
>> of course migrating a website from php4-only to php5-compatible software
>> is mainly a political decision in my case.
>> i'm rather in a tight spot, management of course doesn't want to drop
>> the customers and either the customer doesn't have the resources to pay
>> for a migration, or maybe even the web-agency who developed the website
>> several years ago has been put out of business or <insert any business
>> reason you like> and we don't have the know-how ourselves to migrate the
>> system.
>>
>> so i only saw the situation from a system administrators point of view
>> who only wanted to know of there was a possibility that the php4 ebuild
>> would only be masked or if there was some other solutions (like local
>> portage overlay, just as an example). you wouldn't believe how many
>> customers would rather be ok to be hosted on a server where we could no
>> more guarantee the security for their website because the technology
>> used is no longer supported, than invest into a migration to a newer
>> system.
>>
>> the problem with the missing php4 ebuild is not about "no more php4
>> security updates", i know that php4 support has been officially dropped,
>> the problem would rather have been with dependencies i guess. and that's
>> why i posted to this mailing list, just to get advice, i suppose that's
>> one of the purposes of a mailing list.
>>
>> thanks for your help, i guess i'll figure something out.
>>
>>
>> Lindsay Haisley wrote:
>>> On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
>>>  
>>>> So...you know enough to run your ISP on Gentoo (at least I'd hope
>>>> so), but you think that the ebuilds being removed from portage will
>>>> mean you can no longer have php4? If you really want to keep it,
>>>> stick the ebuilds in an overlay and stop complaining.
>>>>
>>>> Gentoo is removing the php4 ebuilds from the tree, because it won't
>>>> be security-supported by upstream very shortly. Gentoo doesn't have
>>>> the manpower to do security backports and such....we just bump to the
>>>> next version. Until you're paying to use Gentoo, please don't
>>>> complain about how the distro does things. Especially when the
>>>> complaint it "stupid".
>>>>     
>>> Andrew, please be moderate in your responses.  We're all doing the best
>>> we can with a complex technology.  Information and sound analysis help.
>>> Sarcasm and insulting words don't.  This is a technical forum.
>>>
>>> Yves, the bottom line here is that PHP4 has been found by the upstream
>>> PHP developers to have security flaws that aren't easily addressed, and
>>> probably won't be.  Many distributions, not just Gentoo are dropping
>>> support for it since the upstream development focus has switched to PHP5
>>> and PHP6.
>>>
>>> Some of your customers may have issues with their scripts and PHP5, but
>>> having done this upgrade as a consultant to a programmer with a major,
>>> very OO PHP-based research software system, my observation is that the
>>> problems are probably relatively minor and easily fixed.  Two things to
>>> remember:
>>>
>>> 1.  It's important to take a good look at the php.ini files for both
>>> PHP4 and PHP5 and make sure that all the options which might affect
>>> script execution are compatible.
>>>
>>> 2.  It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and
>>> PHP5 on the same system and use either one on a per-directory or
>>> per-file basis, so you can switch potentially problem customers over to
>>> PHP5 one by one.
>>>
>>> My guess is that upgrading globally to PHP5 will affect a relatively
>>> small percentage of your customer base if php.ini synchronization is
>>> good.  PHP5 is very backward compatible in most things.  Your decision
>>> and your actions must also depend on your evaluation of the security
>>> risks, and how the value of your work in maintaining PHP4 and dealing
>>> with possible security breaches balances against the work involved in
>>> upgrading to PHP5 and helping your customers with possible scripting
>>> issues.
>>>
>>> There are a lot of ways to maintain an obsolete package, the simplest of
>>> which is to download the upstream developers' source package and build
>>> and install it outside of Gentoo - not advisable but very doable.
>>>
>>>   
> 
> 


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list