Will they keep patching old version of PHP?
You must log in or register to comment.
They’re waiting for Debian developers backporting the patches.
In many cases, they will cherrypick security fixes and other major bugfixes from the bleeding edge version, and put those fixes in the old versions of the software.
This is the same thing the PHP folks would do while the old PHP is supported. Once the old PHP is out of support but Ubuntu LTS is still in support, then the Ubuntu folks have to put in the extra work to do the cherrypicking.
Only if there is such a huge vulnerability that they will have no choice.
That’s just my guess.
Promise of support is a tricky one.
deleted by creator
Take up non-feature security-only maintenance.
This isn’t hard. SCO and Sun did exactly this.
I’d guess they’ll do what Debian does with backports.
https://backports.debian.org/There are community backports (like Sury’s Debian builds) for PHP, including a branch of PHP 5.6 originally released in 2014. Most other notable languages and major packages have something likewise as well, right down to major packages like Drupal 6. It’s not always easy, but it’s doable and the work is usually either already done or can be paid for.
Weird things that are truly too difficult to support are also often excluded. Eg Spectre/Meltdown fixes were non-trivial and had to be backported to a fairly wide range of things but that only went so far back. Some old systems just never got those fixes and instead have to be ran with a workaround (“don’t run untrusted code”). I don’t know how things are with the new offering but large complicated packages with lots of moving parts like OpenStack used to be excluded from the full extended support cycle before as well.
I would think “long term support” can also sometimes mean moving that support to a newer version, especially where it doesn’t break compatibility.
That would be the logical conclusion, but I believe Debian uses the old version for years after it’s unsupported and might backport security fixes depending on how severe they are. Either way, I personally wouldn’t trust Debian or Ubuntu to properly fix security issues with a program (or in this case, programming language) that they do not actively develop or maintain themselves.
Either they add a new version of PHP or they backport the fixes.
I’m sure it’ll be fine, just keep running the old version 🙃
LOL they’ll do nothing as usual. Probably they will apply security patches if someone submit them, but I’m unsure.
