[gentoo-server] PHP4

[gentoo-server] PHP4

[A. Khattri]

How ironic: Gentoo masks PHP4 because of a bunch of bugs and force a lot 
of people to upgrade to PHP5. Then the PHP devs bring out bug fixes for 
PHP4. So if we had waited we wouldn't have gone through the pain of 
upgrading servers to PHP5...



-- 
A
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Petteri Räty]

[-- Attachment #1: Type: text/plain, Size: 424 bytes --]

A. Khattri kirjoitti:
> 
> How ironic: Gentoo masks PHP4 because of a bunch of bugs and force a lot 
> of people to upgrade to PHP5. Then the PHP devs bring out bug fixes for 
> PHP4. So if we had waited we wouldn't have gone through the pain of 
> upgrading servers to PHP5...
> 
> 

So you would prefer to stay with PHP4 indefinitely? Old versions are 
also a maintenance burden to devs.

Regards,
Petteri


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 260 bytes --]

Re: [gentoo-server] PHP4

[Jil Larner]

PHP 4 *end of life* is announced for August, 8 2008 (this mean in a few
months). Having it masked is a good point. Soon, it will become a
security issue more than it is by now. Upgrading is the right way, even
if it's not an easy and pleasant task if scripts are not PHP 5 compatible...

Spread the news ;) (You can check it on php.net)

Petteri Räty a écrit :
> A. Khattri kirjoitti:
>>
>> How ironic: Gentoo masks PHP4 because of a bunch of bugs and force a
>> lot of people to upgrade to PHP5. Then the PHP devs bring out bug
>> fixes for PHP4. So if we had waited we wouldn't have gone through the
>> pain of upgrading servers to PHP5...
>>
>>
> 
> So you would prefer to stay with PHP4 indefinitely? Old versions are
> also a maintenance burden to devs.
> 
> Regards,
> Petteri
> 
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Fri, 2008-01-18 at 11:10 -0500, A. Khattri wrote:
> So if we had waited we wouldn't have gone through the pain of 
> upgrading servers to PHP5

The upgrade is reasonably painless.  _Most_ code written for PHP4 will
run transparently on PHP5, assuming you have your php.ini files well
coordinated.  Going forward, there are a number of very nice
enhancements in PHP5, notably a substantial improvement in OOP support.

You can also run both PHP4 and PHP5 at the same time and switch over on
a per-virtual server basis, so if you host lots of websites you don't
have to worry about possibly breaking all of them at once.  The only
limitation here (which is an apache limitation, I think) is that either
v4 or v5 must run as CGI, which means that you can't use php_value
settings in a .htaccess file for the CGI version.

It's always a pleasure to work with well designed code.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Yves Thommes]

i'm working at an isp and we're running gentoo on all of our linux
servers. we have a rather large hosting business and some customers have
their site running on software which is not compatible with php5. if
gentoo decides to drop php4 support for good we would be forced to
either tell our customers to change their hosting provider because we
can no longer provide web servers with php4 or simple replace gentoo
with another distro like centos, redhat or debian where we still would
have php4 support.

of course we encourage our customers to upgrade their applications to
php5 but we can't force them to. the biggest problem are the customers
who use an ecommerce or cms system, which requires php4, to manage their
site. as an example we have several customers using ezpublish 3.x, which
runs only on php4! and for most of these customers upgrading to a more
recent version of ezpublish (4.x supports php5) for whatever which reason.

i suppose we're not the only isp running gentoo and hosting sites like
this, and ezpublish is just an example, there are other cms/ecommerce
systems which don't run on php5. so please, just mask the php4 ebuilds
if you have to, but please don't remove them completely from portage.

thanks

A. Khattri wrote:
>
> How ironic: Gentoo masks PHP4 because of a bunch of bugs and force a
> lot of people to upgrade to PHP5. Then the PHP devs bring out bug
> fixes for PHP4. So if we had waited we wouldn't have gone through the
> pain of upgrading servers to PHP5...
>
>
>

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Andrew Gaffney]

So...you know enough to run your ISP on Gentoo (at least I'd hope so), but you 
think that the ebuilds being removed from portage will mean you can no longer 
have php4? If you really want to keep it, stick the ebuilds in an overlay and 
stop complaining.

Gentoo is removing the php4 ebuilds from the tree, because it won't be 
security-supported by upstream very shortly. Gentoo doesn't have the manpower to 
do security backports and such....we just bump to the next version. Until you're 
paying to use Gentoo, please don't complain about how the distro does things. 
Especially when the complaint it "stupid".

Yves Thommes wrote:
> i suppose we're not the only isp running gentoo and hosting sites like
> this, and ezpublish is just an example, there are other cms/ecommerce
> systems which don't run on php5. so please, just mask the php4 ebuilds
> if you have to, but please don't remove them completely from portage.
> 
> thanks
> 
> A. Khattri wrote:
>> How ironic: Gentoo masks PHP4 because of a bunch of bugs and force a
>> lot of people to upgrade to PHP5. Then the PHP devs bring out bug
>> fixes for PHP4. So if we had waited we wouldn't have gone through the
>> pain of upgrading servers to PHP5...
>>
>>
>>
> 


-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 410 bytes --]

On 22/01/2008, Yves Thommes <doc@foobar.lu> wrote:
>
> i'm working at an isp and we're running gentoo on all of our linux
> servers. we have a rather large hosting business and some customers have
> their site running on software which is not compatible with php5.


Hrm, You have a business, and a "rather large" one at that, and a need.
Sounds like you'd be a perfect volunteer to maintain the php4 package.

[-- Attachment #2: Type: text/html, Size: 729 bytes --]

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
> So...you know enough to run your ISP on Gentoo (at least I'd hope so), but you 
> think that the ebuilds being removed from portage will mean you can no longer 
> have php4? If you really want to keep it, stick the ebuilds in an overlay and 
> stop complaining.
> 
> Gentoo is removing the php4 ebuilds from the tree, because it won't be 
> security-supported by upstream very shortly. Gentoo doesn't have the manpower to 
> do security backports and such....we just bump to the next version. Until you're 
> paying to use Gentoo, please don't complain about how the distro does things. 
> Especially when the complaint it "stupid".

Andrew, please be moderate in your responses.  We're all doing the best
we can with a complex technology.  Information and sound analysis help.
Sarcasm and insulting words don't.  This is a technical forum.

Yves, the bottom line here is that PHP4 has been found by the upstream
PHP developers to have security flaws that aren't easily addressed, and
probably won't be.  Many distributions, not just Gentoo are dropping
support for it since the upstream development focus has switched to PHP5
and PHP6.

Some of your customers may have issues with their scripts and PHP5, but
having done this upgrade as a consultant to a programmer with a major,
very OO PHP-based research software system, my observation is that the
problems are probably relatively minor and easily fixed.  Two things to
remember:

1.  It's important to take a good look at the php.ini files for both
PHP4 and PHP5 and make sure that all the options which might affect
script execution are compatible.

2.  It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and
PHP5 on the same system and use either one on a per-directory or
per-file basis, so you can switch potentially problem customers over to
PHP5 one by one.

My guess is that upgrading globally to PHP5 will affect a relatively
small percentage of your customer base if php.ini synchronization is
good.  PHP5 is very backward compatible in most things.  Your decision
and your actions must also depend on your evaluation of the security
risks, and how the value of your work in maintaining PHP4 and dealing
with possible security breaches balances against the work involved in
upgrading to PHP5 and helping your customers with possible scripting
issues.

There are a lot of ways to maintain an obsolete package, the simplest of
which is to download the upstream developers' source package and build
and install it outside of Gentoo - not advisable but very doable.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Yves Thommes]

[irony]oh well, you just have to give it to the gentoo community, 
they're always polite and glad to help.[/irony]

thanks for the tip about the local overlay, i have to admit i didn't 
think about that right away. the local overlay seems indeed to be the 
easiest solution.

sorry about the question, but i wasn't complaining at all. it was just a 
simple question and a simple "no we won't continue to include php4 in 
the portage tree, just put the ebuilds in a local overlay if you really 
want to keep php4"-answer would have done the job.

and maybe your answer even motivated me to submit a gentoo-wiki article 
about keeping depracted packages using a local repository. don't worry 
i'll give you credit.
see, my question wasn't so stupid after all ;)

cheers,
take it easy

Andrew Gaffney wrote:
> So...you know enough to run your ISP on Gentoo (at least I'd hope so), 
> but you think that the ebuilds being removed from portage will mean 
> you can no longer have php4? If you really want to keep it, stick the 
> ebuilds in an overlay and stop complaining.
>
> Gentoo is removing the php4 ebuilds from the tree, because it won't be 
> security-supported by upstream very shortly. Gentoo doesn't have the 
> manpower to do security backports and such....we just bump to the next 
> version. Until you're paying to use Gentoo, please don't complain 
> about how the distro does things. Especially when the complaint it 
> "stupid".
>
> Yves Thommes wrote:
>> i suppose we're not the only isp running gentoo and hosting sites like
>> this, and ezpublish is just an example, there are other cms/ecommerce
>> systems which don't run on php5. so please, just mask the php4 ebuilds
>> if you have to, but please don't remove them completely from portage.
>>
>> thanks
>>
>> A. Khattri wrote:
>>> How ironic: Gentoo masks PHP4 because of a bunch of bugs and force a
>>> lot of people to upgrade to PHP5. Then the PHP devs bring out bug
>>> fixes for PHP4. So if we had waited we wouldn't have gone through the
>>> pain of upgrading servers to PHP5...
>>>
>>>
>>>
>>
>
>

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Yves Thommes]

hey lindsay, thank you for your feedback.

i already was playing around a little bit with php4 and php5 concurrent 
installations and they worked very well.

what we've actually done so far was put all of the websites (about a 
dozen), which absolutely require php4 to run, on a dedicated box.
all other web servers have been running php5 only for several months now.
the problem with the deprecated php4 module ebuild would of course only 
affected this single box.

of course migrating a website from php4-only to php5-compatible software 
is mainly a political decision in my case.
i'm rather in a tight spot, management of course doesn't want to drop 
the customers and either the customer doesn't have the resources to pay 
for a migration, or maybe even the web-agency who developed the website 
several years ago has been put out of business or <insert any business 
reason you like> and we don't have the know-how ourselves to migrate the 
system.

so i only saw the situation from a system administrators point of view 
who only wanted to know of there was a possibility that the php4 ebuild 
would only be masked or if there was some other solutions (like local 
portage overlay, just as an example). you wouldn't believe how many 
customers would rather be ok to be hosted on a server where we could no 
more guarantee the security for their website because the technology 
used is no longer supported, than invest into a migration to a newer system.

the problem with the missing php4 ebuild is not about "no more php4 
security updates", i know that php4 support has been officially dropped, 
the problem would rather have been with dependencies i guess. and that's 
why i posted to this mailing list, just to get advice, i suppose that's 
one of the purposes of a mailing list.

thanks for your help, i guess i'll figure something out.


Lindsay Haisley wrote:
> On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
>   
>> So...you know enough to run your ISP on Gentoo (at least I'd hope so), but you 
>> think that the ebuilds being removed from portage will mean you can no longer 
>> have php4? If you really want to keep it, stick the ebuilds in an overlay and 
>> stop complaining.
>>
>> Gentoo is removing the php4 ebuilds from the tree, because it won't be 
>> security-supported by upstream very shortly. Gentoo doesn't have the manpower to 
>> do security backports and such....we just bump to the next version. Until you're 
>> paying to use Gentoo, please don't complain about how the distro does things. 
>> Especially when the complaint it "stupid".
>>     
>
> Andrew, please be moderate in your responses.  We're all doing the best
> we can with a complex technology.  Information and sound analysis help.
> Sarcasm and insulting words don't.  This is a technical forum.
>
> Yves, the bottom line here is that PHP4 has been found by the upstream
> PHP developers to have security flaws that aren't easily addressed, and
> probably won't be.  Many distributions, not just Gentoo are dropping
> support for it since the upstream development focus has switched to PHP5
> and PHP6.
>
> Some of your customers may have issues with their scripts and PHP5, but
> having done this upgrade as a consultant to a programmer with a major,
> very OO PHP-based research software system, my observation is that the
> problems are probably relatively minor and easily fixed.  Two things to
> remember:
>
> 1.  It's important to take a good look at the php.ini files for both
> PHP4 and PHP5 and make sure that all the options which might affect
> script execution are compatible.
>
> 2.  It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and
> PHP5 on the same system and use either one on a per-directory or
> per-file basis, so you can switch potentially problem customers over to
> PHP5 one by one.
>
> My guess is that upgrading globally to PHP5 will affect a relatively
> small percentage of your customer base if php.ini synchronization is
> good.  PHP5 is very backward compatible in most things.  Your decision
> and your actions must also depend on your evaluation of the security
> risks, and how the value of your work in maintaining PHP4 and dealing
> with possible security breaches balances against the work involved in
> upgrading to PHP5 and helping your customers with possible scripting
> issues.
>
> There are a lot of ways to maintain an obsolete package, the simplest of
> which is to download the upstream developers' source package and build
> and install it outside of Gentoo - not advisable but very doable.
>
>   

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Georges Toth]

Hi Yves,

Please excuse my off-list mail, but I don't want to get into a
php4-keep-it-or-not discussion :-).

Taking that you are only dealing with a rather small amount of sites, it
might be a good idea to switch to a different distribution which offers
long time support over another couple of years and still includes php4.

The migration of the sites to that new server should be very smooth and
everybody's happy ;-).
It's also a lot easier than dealing with unsupported ebuilds and
packages over a longer period.

A nice alternative to gentoo, with that LTS support, is e.g. debian 4.


Good luck


Yves Thommes wrote:
> hey lindsay, thank you for your feedback.
> 
> i already was playing around a little bit with php4 and php5 concurrent
> installations and they worked very well.
> 
> what we've actually done so far was put all of the websites (about a
> dozen), which absolutely require php4 to run, on a dedicated box.
> all other web servers have been running php5 only for several months now.
> the problem with the deprecated php4 module ebuild would of course only
> affected this single box.
> 
> of course migrating a website from php4-only to php5-compatible software
> is mainly a political decision in my case.
> i'm rather in a tight spot, management of course doesn't want to drop
> the customers and either the customer doesn't have the resources to pay
> for a migration, or maybe even the web-agency who developed the website
> several years ago has been put out of business or <insert any business
> reason you like> and we don't have the know-how ourselves to migrate the
> system.
> 
> so i only saw the situation from a system administrators point of view
> who only wanted to know of there was a possibility that the php4 ebuild
> would only be masked or if there was some other solutions (like local
> portage overlay, just as an example). you wouldn't believe how many
> customers would rather be ok to be hosted on a server where we could no
> more guarantee the security for their website because the technology
> used is no longer supported, than invest into a migration to a newer
> system.
> 
> the problem with the missing php4 ebuild is not about "no more php4
> security updates", i know that php4 support has been officially dropped,
> the problem would rather have been with dependencies i guess. and that's
> why i posted to this mailing list, just to get advice, i suppose that's
> one of the purposes of a mailing list.
> 
> thanks for your help, i guess i'll figure something out.
> 
> 
> Lindsay Haisley wrote:
>> On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
>>  
>>> So...you know enough to run your ISP on Gentoo (at least I'd hope
>>> so), but you think that the ebuilds being removed from portage will
>>> mean you can no longer have php4? If you really want to keep it,
>>> stick the ebuilds in an overlay and stop complaining.
>>>
>>> Gentoo is removing the php4 ebuilds from the tree, because it won't
>>> be security-supported by upstream very shortly. Gentoo doesn't have
>>> the manpower to do security backports and such....we just bump to the
>>> next version. Until you're paying to use Gentoo, please don't
>>> complain about how the distro does things. Especially when the
>>> complaint it "stupid".
>>>     
>>
>> Andrew, please be moderate in your responses.  We're all doing the best
>> we can with a complex technology.  Information and sound analysis help.
>> Sarcasm and insulting words don't.  This is a technical forum.
>>
>> Yves, the bottom line here is that PHP4 has been found by the upstream
>> PHP developers to have security flaws that aren't easily addressed, and
>> probably won't be.  Many distributions, not just Gentoo are dropping
>> support for it since the upstream development focus has switched to PHP5
>> and PHP6.
>>
>> Some of your customers may have issues with their scripts and PHP5, but
>> having done this upgrade as a consultant to a programmer with a major,
>> very OO PHP-based research software system, my observation is that the
>> problems are probably relatively minor and easily fixed.  Two things to
>> remember:
>>
>> 1.  It's important to take a good look at the php.ini files for both
>> PHP4 and PHP5 and make sure that all the options which might affect
>> script execution are compatible.
>>
>> 2.  It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and
>> PHP5 on the same system and use either one on a per-directory or
>> per-file basis, so you can switch potentially problem customers over to
>> PHP5 one by one.
>>
>> My guess is that upgrading globally to PHP5 will affect a relatively
>> small percentage of your customer base if php.ini synchronization is
>> good.  PHP5 is very backward compatible in most things.  Your decision
>> and your actions must also depend on your evaluation of the security
>> risks, and how the value of your work in maintaining PHP4 and dealing
>> with possible security breaches balances against the work involved in
>> upgrading to PHP5 and helping your customers with possible scripting
>> issues.
>>
>> There are a lot of ways to maintain an obsolete package, the simplest of
>> which is to download the upstream developers' source package and build
>> and install it outside of Gentoo - not advisable but very doable.
>>
>>   
> 


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Georges Toth]

oops... :-P

Georges Toth wrote:
> Hi Yves,
> 
> Please excuse my off-list mail, but I don't want to get into a
> php4-keep-it-or-not discussion :-).
> 
> Taking that you are only dealing with a rather small amount of sites, it
> might be a good idea to switch to a different distribution which offers
> long time support over another couple of years and still includes php4.
> 
> The migration of the sites to that new server should be very smooth and
> everybody's happy ;-).
> It's also a lot easier than dealing with unsupported ebuilds and
> packages over a longer period.
> 
> A nice alternative to gentoo, with that LTS support, is e.g. debian 4.
> 
> 
> Good luck
> 
> 
> Yves Thommes wrote:
>> hey lindsay, thank you for your feedback.
>>
>> i already was playing around a little bit with php4 and php5 concurrent
>> installations and they worked very well.
>>
>> what we've actually done so far was put all of the websites (about a
>> dozen), which absolutely require php4 to run, on a dedicated box.
>> all other web servers have been running php5 only for several months now.
>> the problem with the deprecated php4 module ebuild would of course only
>> affected this single box.
>>
>> of course migrating a website from php4-only to php5-compatible software
>> is mainly a political decision in my case.
>> i'm rather in a tight spot, management of course doesn't want to drop
>> the customers and either the customer doesn't have the resources to pay
>> for a migration, or maybe even the web-agency who developed the website
>> several years ago has been put out of business or <insert any business
>> reason you like> and we don't have the know-how ourselves to migrate the
>> system.
>>
>> so i only saw the situation from a system administrators point of view
>> who only wanted to know of there was a possibility that the php4 ebuild
>> would only be masked or if there was some other solutions (like local
>> portage overlay, just as an example). you wouldn't believe how many
>> customers would rather be ok to be hosted on a server where we could no
>> more guarantee the security for their website because the technology
>> used is no longer supported, than invest into a migration to a newer
>> system.
>>
>> the problem with the missing php4 ebuild is not about "no more php4
>> security updates", i know that php4 support has been officially dropped,
>> the problem would rather have been with dependencies i guess. and that's
>> why i posted to this mailing list, just to get advice, i suppose that's
>> one of the purposes of a mailing list.
>>
>> thanks for your help, i guess i'll figure something out.
>>
>>
>> Lindsay Haisley wrote:
>>> On Tue, 2008-01-22 at 10:19 -0600, Andrew Gaffney wrote:
>>>  
>>>> So...you know enough to run your ISP on Gentoo (at least I'd hope
>>>> so), but you think that the ebuilds being removed from portage will
>>>> mean you can no longer have php4? If you really want to keep it,
>>>> stick the ebuilds in an overlay and stop complaining.
>>>>
>>>> Gentoo is removing the php4 ebuilds from the tree, because it won't
>>>> be security-supported by upstream very shortly. Gentoo doesn't have
>>>> the manpower to do security backports and such....we just bump to the
>>>> next version. Until you're paying to use Gentoo, please don't
>>>> complain about how the distro does things. Especially when the
>>>> complaint it "stupid".
>>>>     
>>> Andrew, please be moderate in your responses.  We're all doing the best
>>> we can with a complex technology.  Information and sound analysis help.
>>> Sarcasm and insulting words don't.  This is a technical forum.
>>>
>>> Yves, the bottom line here is that PHP4 has been found by the upstream
>>> PHP developers to have security flaws that aren't easily addressed, and
>>> probably won't be.  Many distributions, not just Gentoo are dropping
>>> support for it since the upstream development focus has switched to PHP5
>>> and PHP6.
>>>
>>> Some of your customers may have issues with their scripts and PHP5, but
>>> having done this upgrade as a consultant to a programmer with a major,
>>> very OO PHP-based research software system, my observation is that the
>>> problems are probably relatively minor and easily fixed.  Two things to
>>> remember:
>>>
>>> 1.  It's important to take a good look at the php.ini files for both
>>> PHP4 and PHP5 and make sure that all the options which might affect
>>> script execution are compatible.
>>>
>>> 2.  It's possible (there's a Gentoo HOWTO on it) to run both PHP4 and
>>> PHP5 on the same system and use either one on a per-directory or
>>> per-file basis, so you can switch potentially problem customers over to
>>> PHP5 one by one.
>>>
>>> My guess is that upgrading globally to PHP5 will affect a relatively
>>> small percentage of your customer base if php.ini synchronization is
>>> good.  PHP5 is very backward compatible in most things.  Your decision
>>> and your actions must also depend on your evaluation of the security
>>> risks, and how the value of your work in maintaining PHP4 and dealing
>>> with possible security breaches balances against the work involved in
>>> upgrading to PHP5 and helping your customers with possible scripting
>>> issues.
>>>
>>> There are a lot of ways to maintain an obsolete package, the simplest of
>>> which is to download the upstream developers' source package and build
>>> and install it outside of Gentoo - not advisable but very doable.
>>>
>>>   
> 
> 


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 19:38 +0100, Yves Thommes wrote:
> i'm rather in a tight spot, management of course doesn't want to drop 
> the customers and either the customer doesn't have the resources to pay 
> for a migration, or maybe even the web-agency who developed the website 
> several years ago has been put out of business or <insert any business 
> reason you like> and we don't have the know-how ourselves to migrate the 
> system.

Can you be more specific about the technical issues?  What sorts of
errors or functionality losses do you see on the problem websites if you
try to run them on PHP5, or are you just noting that a 3rd party
developer has said that the sites won't run on PHP5?

This is of more than academic interest to me.  I run a professional web
hosting service and am faced with a similar problem.  A couple dozen of
my client sites are going to have to be migrated here from PHP4 to PHP5
soon, which will involve moving databases, changing DNS for them and
seeing where they break.  I wrote most of the PHP code so I should be
able to figure it out pretty easily if there are any snags.  PHP gets
about a B for being explicit and clear in emitting meaningful error
messages.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 19:53 +0100, Georges Toth wrote:
> A nice alternative to gentoo, with that LTS support, is e.g. debian 4.

Ubuntu server, which is as Debian derivative, is basically dropping
support for PHP4 in their packages for Apache2.  Are you sure that
Debian isn't doing the same?

--
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 685 bytes --]

On 22/01/2008, Lindsay Haisley <fmouse-gentoo@fmp.com> wrote:
>
> On Tue, 2008-01-22 at 19:53 +0100, Georges Toth wrote:
> > A nice alternative to gentoo, with that LTS support, is e.g. debian 4.
>
> Ubuntu server, which is as Debian derivative, is basically dropping
> support for PHP4 in their packages for Apache2.  Are you sure that
> Debian isn't doing the same?


Not to overlook the fact that PHP is dropping support for PHP4 in August.
Switching distributions to get another half year of support seems to me like
getting a tattoo to fit in with the kids at highschool.  Everyone who wants
to run updated software is going to have to make this move at some point in
time.


.r'

[-- Attachment #2: Type: text/html, Size: 1041 bytes --]

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 11:18 -0800, RijilV wrote:
> Not to overlook the fact that PHP is dropping support for PHP4 in
> August.  Switching distributions to get another half year of support
> seems to me like getting a tattoo to fit in with the kids at
> highschool.  Everyone who wants to run updated software is going to
> have to make this move at some point in time. 

Excellent point! (and a nice analogy).  The other cost that has to be
factored into any decision is the cost of dealing with the consequences
of a system compromise resulting from a security hole.  Yves, are your
management folks aware that a security compromise on your PHP4 box will
affect _all_ your customers with websites on it, not just those who's
code may have been responsible for the compromise, and that cleaning up
such a mess will probably take a lot more time and expense than the cost
of script migration?

Been there, done that, bought the T-shirt, and it was a Royal PITA!

Not to mention the fact that once you've been compromised, you'll _have_
to migrate your customers to v5 ASAP, possibly without the luxury of
being able to do them one by one.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Georges Toth]

> Ubuntu server, which is as Debian derivative, is basically dropping
> support for PHP4 in their packages for Apache2.  Are you sure that
> Debian isn't doing the same?

When are they planning to completely drop php4 support ?

I'm not totally sure, but so far I haven't found any indication that
they will.
Also etch includes php4, and it is the stable release for some more
years, so logically they won't/can't drop php4.

I might be wrong though :-)


Anyway switching away from php4 ASAP is the best one can do.
Any other solution is only a hack and means additional unnecessary work :-)


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Matthias Bethke]

[-- Attachment #1: Type: text/plain, Size: 911 bytes --]

Hi RijilV,
on Tue, Jan 22, 2008 at 08:36:47AM -0800, you wrote:
> Hrm, You have a business, and a "rather large" one at that, and a need.
> Sounds like you'd be a perfect volunteer to maintain the php4 package.

:-D Not a bad idea but in the end I think it's more fruitful to just
migrate what can be migrated and rewrite the rest. I also work work for
a fairly[tm] large ISP (some 3.2M sites) and pretty much everybody who
deals with security is longing for the day the switch to PHP5 will
finally be complete. Seeing the same old stupid exploits due to the same
old stupid PHP4 mistakes a few dozen times a day is just getting boring.
My opinion of PHP as a whole is not exactly high but version 5 is the
least bad thing that ever happened to it.

cheers,
	Matthias
-- 
I prefer encrypted and signed messages. KeyID: FAC37665
Fingerprint: 8C16 3F0A A6FC DF0D 19B0  8DEF 48D9 1700 FAC3 7665

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] PHP4

[Georges Toth]

> Not to overlook the fact that PHP is dropping support for PHP4 in
> August.  Switching distributions to get another half year of support
> seems to me like getting a tattoo to fit in with the kids at
> highschool.  Everyone who wants to run updated software is going to have
> to make this move at some point in time.

Absolutely !
I'm not saying that trying to keep running php4 is a good idea :-)


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Greg Bowser]

[-- Attachment #1: Type: text/plain, Size: 1002 bytes --]

PHP4 support is already obsoleted by the PHP development team -- as of
december 31st last year.  The continuing support that has been spoken of
will be security fixes on a case-by-case basis only, and ending on
2008-08-08.

On Jan 22, 2008 2:35 PM, Georges Toth <georges@norm.lu> wrote:

> > Ubuntu server, which is as Debian derivative, is basically dropping
> > support for PHP4 in their packages for Apache2.  Are you sure that
> > Debian isn't doing the same?
>
> When are they planning to completely drop php4 support ?
>
> I'm not totally sure, but so far I haven't found any indication that
> they will.
> Also etch includes php4, and it is the stable release for some more
> years, so logically they won't/can't drop php4.
>
> I might be wrong though :-)
>
>
> Anyway switching away from php4 ASAP is the best one can do.
> Any other solution is only a hack and means additional unnecessary work
> :-)
>
>
> --
> regards,
>
> Georges Toth
> --
> gentoo-server@lists.gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1461 bytes --]

Re: [gentoo-server] PHP4

[Georges Toth]

Greg Bowser wrote:
> PHP4 support is already obsoleted by the PHP development team -- as of
> december 31st last year.  The continuing support that has been spoken of
> will be security fixes on a case-by-case basis only, and ending on
> 2008-08-08.

Is that for Ubuntu or Debian (or both) ?


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Andrew Gaffney]

Georges Toth wrote:
> Greg Bowser wrote:
>> PHP4 support is already obsoleted by the PHP development team -- as of
>> december 31st last year.  The continuing support that has been spoken of
>> will be security fixes on a case-by-case basis only, and ending on
>> 2008-08-08.
> 
> Is that for Ubuntu or Debian (or both) ?

That's the upstream PHP developers.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Thilo Bangert]

[-- Attachment #1: Type: text/plain, Size: 716 bytes --]

> When are they planning to completely drop php4 support ?
>
> I'm not totally sure, but so far I haven't found any indication that
> they will.

one indication could be that the last php4 release fixed security issues 
which had been fixed in the php5 series months ago...

...another would be that the gentoo devs are dropping support.

and then there is the release notes currently the first item on the 
frontpage of php.net (the PHP homepage):

<quote>
This release wraps up all the outstanding patches for the PHP 4.4 series, 
and is therefore the last normal PHP 4.4 release. If necessary, releases 
to address security issues could be made until 2008-08-08.
</qoute>

kind regards
Thilo

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] PHP4

[Georges Toth]

Thilo Bangert wrote:
>> When are they planning to completely drop php4 support ?
>>
>> I'm not totally sure, but so far I haven't found any indication that
>> they will.
> 
> one indication could be that the last php4 release fixed security issues 
> which had been fixed in the php5 series months ago...
> 
> ...another would be that the gentoo devs are dropping support.
> 
> and then there is the release notes currently the first item on the 
> frontpage of php.net (the PHP homepage):
> 
> <quote>
> This release wraps up all the outstanding patches for the PHP 4.4 series, 
> and is therefore the last normal PHP 4.4 release. If necessary, releases 
> to address security issues could be made until 2008-08-08.
> </qoute>

Uhm, I was talking about Debian, not about php being dropped ;-)


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Thilo Bangert]

[-- Attachment #1: Type: text/plain, Size: 1170 bytes --]

Lindsay Haisley <fmouse-gentoo@fmp.com> said:
> On Tue, 2008-01-22 at 19:38 +0100, Yves Thommes wrote:
> > i'm rather in a tight spot, management of course doesn't want to drop
> > the customers and either the customer doesn't have the resources to
> > pay for a migration, or maybe even the web-agency who developed the
> > website several years ago has been put out of business or <insert any
> > business reason you like> and we don't have the know-how ourselves to
> > migrate the system.
>
> Can you be more specific about the technical issues?  What sorts of
> errors or functionality losses do you see on the problem websites if
> you try to run them on PHP5, or are you just noting that a 3rd party
> developer has said that the sites won't run on PHP5?
>

migrating your own code should be pretty straight forward using the 
changes documents on php.net:

Migrating from PHP 4 to PHP 5
http://www.php.net/manual/en/migration5.php

Migrating from PHP 5.0.x to PHP 5.1.x
http://www.php.net/manual/en/migration51.php

Migrating from PHP 5.1.x to PHP 5.2.x
http://www.php.net/manual/en/migration52.php

good luck!

kind regards
Thilo

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] PHP4

[Greg Bowser]

[-- Attachment #1: Type: text/plain, Size: 953 bytes --]

That's just for php4 from the php development team. I'm not sure about
debian or ubuntu.  In my experience, most packages in debian are 3 years
behind official releases anyway, so debian probably won't catch up with the
PHP releases until PHP 6 is norm :p.  On a more serious note, I dropping a
package doesn't really seem like debian's style. They're pretty into the
stability and predictability sort of thing, so I doubt that they'll drop
php4 completely (at least until it is a nonissue.)
On Jan 22, 2008 2:46 PM, Georges Toth <georges@norm.lu> wrote:

> Greg Bowser wrote:
> > PHP4 support is already obsoleted by the PHP development team -- as of
> > december 31st last year.  The continuing support that has been spoken of
> > will be security fixes on a case-by-case basis only, and ending on
> > 2008-08-08.
>
> Is that for Ubuntu or Debian (or both) ?
>
>
> --
> regards,
>
> Georges Toth
> --
> gentoo-server@lists.gentoo.org mailing list
>
>

[-- Attachment #2: Type: text/html, Size: 1413 bytes --]

Re: [gentoo-server] PHP4

[Petteri Räty]

[-- Attachment #1: Type: text/plain, Size: 220 bytes --]

Yves Thommes kirjoitti:
> [irony]oh well, you just have to give it to the gentoo community, 
> they're always polite and glad to help.[/irony]
> 

Big community includes all kinds of people.

Regards,
Petteri


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: [gentoo-server] PHP4

[Yves Thommes]

i agree that keeping php4 is not a good idea. if the decision was up to 
me i would have completely switched to php4 a long time ago.

and as i said before, there are customer who would prefer to no pay a 
single dime and just say: we're ok with the current solution even if 
we're not secure anymore and regarding their site being compromised they 
have more of an "we'll cross that bridge when we come to it"-attitude.
the only thing i can do is i'll try to make perfectly clear to my 
management and the customers still on that box that very soon there will 
be no more security fixes and updates for the technology used by their 
website and that they're located on a shared server along with other 
websites who are in the same situation. if one of the sites on the 
server is compromised we can't gurantee the integrity of their 
data/website. after that it's up to them to decide what they really want.

regarding the php4 ebuild i was a little bit surprised that they would 
drop the ebuild so soon, after all php4 will still get security fixes 
until 2008-08. i was wondering, if they keep mysql-4.0 in portage which 
isn't supported anymore since summer 2006, why would they want to drop 
php4 so quickly?

Georges Toth wrote:
>> Not to overlook the fact that PHP is dropping support for PHP4 in
>> August.  Switching distributions to get another half year of support
>> seems to me like getting a tattoo to fit in with the kids at
>> highschool.  Everyone who wants to run updated software is going to have
>> to make this move at some point in time.
>>     
>
> Absolutely !
> I'm not saying that trying to keep running php4 is a good idea :-)
>
>
>   

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Andrew Gaffney]

Yves Thommes wrote:
> regarding the php4 ebuild i was a little bit surprised that they would 
> drop the ebuild so soon, after all php4 will still get security fixes 
> until 2008-08. i was wondering, if they keep mysql-4.0 in portage which 
> isn't supported anymore since summer 2006, why would they want to drop 
> php4 so quickly?

Because this "stay of execution" was announced after the decided to EOL php4. 
Gentoo dropped the php4 support after the original announcement was made. We're 
not going to temporarily bring them back just for a couple of months.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Yves Thommes]

of course, i totally agree and i didn't want to say that everybody of 
the gentoo community is rude

sometimes i hang around on the gentoo forums and irc channels and i 
notice very often that people get insulted for asking casual questions. 
of course there are a some questions which can be answered very easily 
using the forum search function or by using the gentoo-wiki. but there 
are people with real questions and very often they only get "please just 
use windows and don't waste our time"-style answers. very mature.



Petteri Räty wrote:
> Yves Thommes kirjoitti:
>> [irony]oh well, you just have to give it to the gentoo community, 
>> they're always polite and glad to help.[/irony]
>>
>
> Big community includes all kinds of people.
>
> Regards,
> Petteri
>

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Yves Thommes]

i really don't want to start splitting hairs here, but on 2007-07-13 the 
php team did the following announcement:

[quote]
The PHP development team hereby announces that support for PHP 4 will 
continue until the end of this year only. After 2007-12-31 there will be 
no more releases of PHP 4.4. We will continue to make critical security 
fixes available on a case-by-case basis until 2008-08-08. Please use the 
rest of this year to make your application suitable to run on PHP 5.
[/quote]

so i suppose the support period was announced together with the EOL news

but ok, i get the point that you want people to update to php5 asap.

Andrew Gaffney wrote:
> Yves Thommes wrote:
>> regarding the php4 ebuild i was a little bit surprised that they 
>> would drop the ebuild so soon, after all php4 will still get security 
>> fixes until 2008-08. i was wondering, if they keep mysql-4.0 in 
>> portage which isn't supported anymore since summer 2006, why would 
>> they want to drop php4 so quickly?
>
> Because this "stay of execution" was announced after the decided to 
> EOL php4. Gentoo dropped the php4 support after the original 
> announcement was made. We're not going to temporarily bring them back 
> just for a couple of months.
>

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Qian Qiao]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yves Thommes wrote:
> of course, i totally agree and i didn't want to say that everybody of
> the gentoo community is rude
> 
> sometimes i hang around on the gentoo forums and irc channels and i
> notice very often that people get insulted for asking casual questions.
> of course there are a some questions which can be answered very easily
> using the forum search function or by using the gentoo-wiki. but there
> are people with real questions and very often they only get "please just
> use windows and don't waste our time"-style answers. very mature.

Here's another one: if only I can break top-posters' fingers

- -- Joe


- --
A computer scientist is someone who, when told "go to hell", considers
the "go to" harmful rather than the destination.

GnuPG Key:  0xB14661D9
GnuPG FP:   DE08 57AE A1AD 620C 02AA  CCDD 611B 63AC B146 61D9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHllRVYRtjrLFGYdkRAloFAKCiBz754lqyc+qMkA2g/7Nq0luQiACgmFx3
pTRiT044dgfS6BXlU+UEh3U=
=pXD3
-----END PGP SIGNATURE-----
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Andrew Gaffney]

Qian Qiao wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Yves Thommes wrote:
>> of course, i totally agree and i didn't want to say that everybody of
>> the gentoo community is rude
>>
>> sometimes i hang around on the gentoo forums and irc channels and i
>> notice very often that people get insulted for asking casual questions.
>> of course there are a some questions which can be answered very easily
>> using the forum search function or by using the gentoo-wiki. but there
>> are people with real questions and very often they only get "please just
>> use windows and don't waste our time"-style answers. very mature.
> 
> Here's another one: if only I can break top-posters' fingers

Heh, I've been wanting to yell at a certain someone for that this entire thread :P

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Qian Qiao]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yves Thommes wrote:
> after all php4 will still get security fixes
> until 2008-08.

This is not completely true, only *critical* security flaws, and only
and a case-by-case bases.

The implication is that: there's a good chance that if disabling some
feature disables a security flaw too, don't expect a fix, live with a
castrated PHP4

- -- Joe


- --
A computer scientist is someone who, when told "go to hell", considers
the "go to" harmful rather than the destination.

GnuPG Key:  0xB14661D9
GnuPG FP:   DE08 57AE A1AD 620C 02AA  CCDD 611B 63AC B146 61D9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHllZ2YRtjrLFGYdkRAljLAJ95bsMlXb6UEKtjN8MPNO3MiYUyPgCgqpET
9JA4jQh26AMgxTiP3sRglGY=
=gJHf
-----END PGP SIGNATURE-----
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 21:22 +0100, Yves Thommes wrote:
> if one of the sites on the 
> server is compromised we can't gurantee the integrity of their 
> data/website.

It's far worse than this.  If one of the sites on the server is
compromised then you can't guarantee the integrity of _any_ data/website
on that server.

In the former case, it would be _their_ business decision, but this
really makes it yours.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Andrew Gaffney]

Lindsay Haisley wrote:
> On Tue, 2008-01-22 at 21:22 +0100, Yves Thommes wrote:
>> if one of the sites on the 
>> server is compromised we can't gurantee the integrity of their 
>> data/website.
> 
> It's far worse than this.  If one of the sites on the server is
> compromised then you can't guarantee the integrity of _any_ data/website
> on that server.
> 
> In the former case, it would be _their_ business decision, but this
> really makes it yours.

I was waiting for somebody to point this out. You continuing to run PHP4 on any 
of your servers makes *you* liable for damage to other customers' sites. Explain 
*that* to your management. That possibility should alone outweigh the cost of 
losing a few customers who don't want to migrate their stuff to PHP5.

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 14:46 -0600, Andrew Gaffney wrote:
> Heh, I've been wanting to yell at a certain someone for that this
> entire thread :P

Patience, Andrew.  Take a deep breath and count to 256 ;-)

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Andrew Gaffney]

Lindsay Haisley wrote:
> On Tue, 2008-01-22 at 14:46 -0600, Andrew Gaffney wrote:
>> Heh, I've been wanting to yell at a certain someone for that this
>> entire thread :P
> 
> Patience, Andrew.  Take a deep breath and count to 256 ;-)

Oh noes! I've overflowed!

-- 
Andrew Gaffney                                 http://dev.gentoo.org/~agaffney/
Gentoo Linux Developer             Catalyst/Installer + x86 release coordinator
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Tue, 2008-01-22 at 15:20 -0600, Andrew Gaffney wrote:
> Lindsay Haisley wrote:
> > On Tue, 2008-01-22 at 14:46 -0600, Andrew Gaffney wrote:
> >> Heh, I've been wanting to yell at a certain someone for that this
> >> entire thread :P
> > 
> > Patience, Andrew.  Take a deep breath and count to 256 ;-)
> 
> Oh noes! I've overflowed!

'Scuse me, Andrew.  Had to put that in.  Just my eight bits' worth.

-- 
Lindsay Haisley       | "In an open world,    |     PGP public key
FMP Computer Services |    who needs Windows  |      available at
512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
http://www.fmp.com    |                       |


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Oliver Schad]

[-- Attachment #1: Type: text/plain, Size: 613 bytes --]

Am Dienstag, 22. Januar 2008 22:19 schrieb mir Lindsay Haisley:
> On Tue, 2008-01-22 at 14:46 -0600, Andrew Gaffney wrote:
> > Heh, I've been wanting to yell at a certain someone for that this
> > entire thread :P
>
> Patience, Andrew.  Take a deep breath and count to 256 ;-)

You start counting from 1? <nelson>HA - HA</nelson> ;-)

regards
Oli

> --
> Lindsay Haisley       | "In an open world,    |     PGP public key
> FMP Computer Services |    who needs Windows  |      available at
> 512-259-1190          |      or Gates"        | http://pubkeys.fmp.com
> http://www.fmp.com    |                       |

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] PHP4

[pkoelle]

Yves Thommes schrieb:
> i agree that keeping php4 is not a good idea. if the decision was up to 
> me i would have completely switched to php4 a long time ago.
> 
> and as i said before, there are customer who would prefer to no pay a 
> single dime and just say: we're ok with the current solution even if 
> we're not secure anymore and regarding their site being compromised they 
> have more of an "we'll cross that bridge when we come to it"-attitude.
> the only thing i can do is i'll try to make perfectly clear to my 
> management and the customers still on that box that very soon there will 
> be no more security fixes and updates for the technology used by their 
> website and that they're located on a shared server along with other 
> websites who are in the same situation. if one of the sites on the 
> server is compromised we can't gurantee the integrity of their 
> data/website. after that it's up to them to decide what they really want.
I'd say it's perfectionally reasonable to charge those wanting to keep 
php4 for the additional risk management. Even if it's a small margin, 
they will (finally) see a benefit in migrating their apps.

cheers
  Paul


-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 678 bytes --]

On 22/01/2008, pkoelle@gmail.com <pkoelle@gmail.com> wrote:
>
> I'd say it's perfectionally reasonable to charge those wanting to keep
> php4 for the additional risk management. Even if it's a small margin,
> they will (finally) see a benefit in migrating their apps.
>
> cheers
>   Paul


We have clients who doubled the costs to their php4 hanger-ons clients
recently in a passive aggressive move to get rid of them.  The php4 clients
didn't even bat an eye and set in their money.  Our client is likely going
to build out a server just for php4 and will expense that all to the php4
clients directly.  You might be surprised what you can charge for php4
support right now...

[-- Attachment #2: Type: text/html, Size: 1066 bytes --]

Re: [gentoo-server] PHP4

[Yves Thommes]

ehm, maybe my english is not perfect but that's *exactly* what i meant 
as well. i would tell customer x that if the site of customer y on the 
same server would be compromised, the site of customer x would be 
compromised as well. ;)

after most of the comments i've read so far i would say that bottom line 
is: we give our customers a deadline until when they will have to 
migrate to php5 and basta, like my italian co-worker would say. ;)

but actually this situation is more complicated than it seems. and there 
is even another crazy solution to this whole fiasco. as i said in our 
case there are only about a dozen websites which don't run at all on 
php5, so i could create a vmware machine for each customer, so if their 
site would be compromised, it wouldn't affect the others. but i mean, 
that's overkill.

tomorrow morning i'll suggest both solutions to our customers, either 
they try to migrate to php5 asap or they'll be hosted on a small 
isolated php4 box along with other php4 sites (the risks will be made 
perfectly clear to each and every customer being hosted on this server 
and they would of course have to agree to these terms, in writing) which 
might get them to reconsider migrating to php5. Or as a last resort the 
vmware solution which would be the most expensive one, and i guess this 
might also help them to reconsider migration to php5.


Andrew Gaffney wrote:
> Lindsay Haisley wrote:
>> On Tue, 2008-01-22 at 21:22 +0100, Yves Thommes wrote:
>>> if one of the sites on the server is compromised we can't gurantee 
>>> the integrity of their data/website.
>>
>> It's far worse than this.  If one of the sites on the server is
>> compromised then you can't guarantee the integrity of _any_ data/website
>> on that server.
>>
>> In the former case, it would be _their_ business decision, but this
>> really makes it yours.
>
> I was waiting for somebody to point this out. You continuing to run 
> PHP4 on any of your servers makes *you* liable for damage to other 
> customers' sites. Explain *that* to your management. That possibility 
> should alone outweigh the cost of losing a few customers who don't 
> want to migrate their stuff to PHP5.
>

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Qian Qiao]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yves Thommes wrote:
> [Snip]

1. Dude, stop top-posting
2. There's another solution: explain to them that php4 is end of life,
and if they want to go on using it, they will be migrated to a separate
cluster, so that if they get compromised, they are in a relatively
isolated cluster. Also make it damn clear to them that if any of the
php4 apps in that cluster gets compromised, there's a good chance that
their app will be affected, if they still want to stick with php4, then
charge them a lot more for the extra administration work and their
stupidity.

- -- Joe

- --
A computer scientist is someone who, when told "go to hell", considers
the "go to" harmful rather than the destination.

GnuPG Key:  0xB14661D9
GnuPG FP:   DE08 57AE A1AD 620C 02AA  CCDD 611B 63AC B146 61D9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHlnggYRtjrLFGYdkRAuq7AJ9u0pn1vwdUjdIHbj+SJ3Rbpa65SACg6twO
5azRqCH67WKEbEFxDZuoNB0=
=p9ek
-----END PGP SIGNATURE-----
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[RijilV]

[-- Attachment #1: Type: text/plain, Size: 144 bytes --]

On 22/01/2008, Qian Qiao <qian.qiao@gmail.com> wrote:

> cluster, so that if they get compromised, they are in a relatively
>

s/if/when/


.r'

[-- Attachment #2: Type: text/html, Size: 435 bytes --]

Re: [gentoo-server] PHP4

[Chashab]

Also note one of the reasons PHP decided to drop support for PHP4: http://www.gophp5.org/

They have a lot of projects signed up, including big ones like phpmyadmin.  So it is within your best interest to upgrade.

Cheers,
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Yves Thommes]

Lindsay Haisley wrote:
> Can you be more specific about the technical issues?  What sorts of
> errors or functionality losses do you see on the problem websites if you
> try to run them on PHP5, or are you just noting that a 3rd party
> developer has said that the sites won't run on PHP5?
>
>
>   
as mentioned in my initial post, we have several sites which were 
created using the ezpublish cms, version 3.7. this version of ezpublish 
is not stable at all under php5.

you would at least have to upgrade to 3.9 to get more stability or even 
better, 4.x to get full php5 support.
http://ez.no/ezpublish/requirements

one customer running his site using this version doesn't want to invest 
any more money into the website, he considers the web agency who sold 
them this solution should do the migration for free but they think 
otherwise, finally it's our responsibility to keep the sites running and 
secure, go figure. well it was all management mumbo-jumbo which didn't 
really concern me, until now.
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Qian Qiao]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yves Thommes wrote:
> finally it's our responsibility to keep the sites running and
> secure

PHP4 doesn't just pose security threat to a particular web app, but the
machine or even the cluster it runs on, one buggy php4 version or php4
application can potentially take down the entire cluster. As I've said
before, if they insist on running PHP4, then the only logical solution
will be to run PHP4 on it's own cluster, so when it's hacked, the damage
is contained.

If the additional cost of such a solution cannot be covered by the
customers insist on running PHP4, then the responsible solution is to
drop support of PHP4, in interest of other customers who do want to go
for the more secure solution, they should not be punished by those who
insist on staying php4.

- -- Joe

- --
A computer scientist is someone who, when told "go to hell", considers
the "go to" harmful rather than the destination.

GnuPG Key:  0xB14661D9
GnuPG FP:   DE08 57AE A1AD 620C 02AA  CCDD 611B 63AC B146 61D9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.7 (GNU/Linux)

iD8DBQFHloOJYRtjrLFGYdkRAgJVAJkBCjvbrXzry69xMmL1rKl19NNqUgCg1gph
sOWQEniwflNLyEzVpABPWrs=
=SiWm
-----END PGP SIGNATURE-----
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Lindsay Haisley]

On Wed, 2008-01-23 at 00:45 +0100, Yves Thommes wrote:
> Lindsay Haisley wrote:
> > Can you be more specific about the technical issues?  What sorts of
> > errors or functionality losses do you see on the problem websites if you
> > try to run them on PHP5, or are you just noting that a 3rd party
> > developer has said that the sites won't run on PHP5?
> >
> >   
> as mentioned in my initial post, we have several sites which were 
> created using the ezpublish cms, version 3.7. this version of ezpublish 
> is not stable at all under php5.

So have you, or your customer tried running ezpublish cms under PHP5?
What breaks?  What do you mean, it's "not stable"?

All the literature online re ezpublish cms states categorically that v
3.7 won't run on PHP5, but there are only a handful of incompatibilities
between PHP4 and PHP5, mostly syntax stuff.

I know what I'd do here, but I won't go there on this forum ;-)

-- 
Lindsay Haisley       | "The difference between |     PGP public key
FMP Computer Services |  a duck is that one leg |      available at
512-259-1190          |    is  both the same"   | http://pubkeys.fmp.com
http://www.fmp.com    |       - Anonymous       |

-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Georges Toth]

> but actually this situation is more complicated than it seems. and there
> is even another crazy solution to this whole fiasco. as i said in our
> case there are only about a dozen websites which don't run at all on
> php5, so i could create a vmware machine for each customer, so if their
> site would be compromised, it wouldn't affect the others. but i mean,
> that's overkill.
> 
> tomorrow morning i'll suggest both solutions to our customers, either
> they try to migrate to php5 asap or they'll be hosted on a small
> isolated php4 box along with other php4 sites (the risks will be made
> perfectly clear to each and every customer being hosted on this server
> and they would of course have to agree to these terms, in writing) which
> might get them to reconsider migrating to php5. Or as a last resort the
> vmware solution which would be the most expensive one, and i guess this
> might also help them to reconsider migration to php5.

VMware would definitely be overkill.
If you have to go with such a solution, you'd be better off isolating
either only the php processes or webserver+php in vserver or openvz
containers and have a common DB on the host ... or the like.

... my point being to use openvz or vserver, as they fit perfectly for
this problem and as both (at least vserver) are causing nearly no
additional overhead, you have them isolated, secured the box itself
(host) and every customer from each other, and don't need any additional
resources (maybe some more, but you surely get the idea :-) ).


-- 
regards,

Georges Toth
-- 
gentoo-server@lists.gentoo.org mailing list

Re: [gentoo-server] PHP4

[Dumitru Moldovan]

[-- Attachment #1: Type: text/plain, Size: 548 bytes --]

Chashab <chashab@goodcoffee.ca> a scris:
> Also note one of the reasons PHP decided to drop support for PHP4:
> http://www.gophp5.org/
> 
> They have a lot of projects signed up, including big ones like
> phpmyadmin.  So it is within your best interest to upgrade.

I would love to see SourceForge.net on that list... They are stuck
with PHP 4.3.9 from CentOS 4.4 and have no roadmap for making PHP 5.x
available to hosted projects.

Reality bites,

-- 
Dumitru Mişu Moldovan
Network Administrator / AXIGEN
http://www.axigen.com


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-server] PHP4

[Matthew Summers]

[-- Attachment #1: Type: text/plain, Size: 1063 bytes --]

On Jan 22, 2008 10:13 AM, Yves Thommes <doc@foobar.lu> wrote:

> i'm working at an isp and we're running gentoo on all of our linux
> servers. we have a rather large hosting business and some customers have
> their site running on software which is not compatible with php5. if
> gentoo decides to drop php4 support for good we would be forced to
> either tell our customers to change their hosting provider because we
> can no longer provide web servers with php4 or simple replace gentoo
> with another distro like centos, redhat or debian where we still would
> have php4 support.
>
> < --snip>

Virtualization, no matter what method you choose is a good way to go, also
chrooting each server on a hardened (grsecurity/pax patched) kernel might
work well also, due to the chroot jail protections within that.  One jail
per webapp.  I do sympathize with the poster here on this, hope you are able
to find a fitting solution.

Peace

-- 
M. Summers

msummers42@gmail.com

"...there are no rules here -- we're trying to accomplish something."
 - Thomas A. Edison

[-- Attachment #2: Type: text/html, Size: 1436 bytes --]