Will they keep patching old version of PHP?

  • ipsirc@lemmy.ml
    link
    fedilink
    English
    arrow-up
    44
    ·
    10 months ago

    They’re waiting for Debian developers backporting the patches.

  • Limonene@lemmy.world
    link
    fedilink
    arrow-up
    35
    ·
    10 months ago

    In many cases, they will cherrypick security fixes and other major bugfixes from the bleeding edge version, and put those fixes in the old versions of the software.

    This is the same thing the PHP folks would do while the old PHP is supported. Once the old PHP is out of support but Ubuntu LTS is still in support, then the Ubuntu folks have to put in the extra work to do the cherrypicking.

  • Kualk@lemm.ee
    link
    fedilink
    arrow-up
    37
    arrow-down
    10
    ·
    edit-2
    10 months ago

    Only if there is such a huge vulnerability that they will have no choice.

    That’s just my guess.

    Promise of support is a tricky one.

  • chameleon@kbin.social
    link
    fedilink
    arrow-up
    10
    ·
    10 months ago

    There are community backports (like Sury’s Debian builds) for PHP, including a branch of PHP 5.6 originally released in 2014. Most other notable languages and major packages have something likewise as well, right down to major packages like Drupal 6. It’s not always easy, but it’s doable and the work is usually either already done or can be paid for.

    Weird things that are truly too difficult to support are also often excluded. Eg Spectre/Meltdown fixes were non-trivial and had to be backported to a fairly wide range of things but that only went so far back. Some old systems just never got those fixes and instead have to be ran with a workaround (“don’t run untrusted code”). I don’t know how things are with the new offering but large complicated packages with lots of moving parts like OpenStack used to be excluded from the full extended support cycle before as well.

  • db2@lemmy.world
    link
    fedilink
    arrow-up
    12
    arrow-down
    5
    ·
    10 months ago

    I would think “long term support” can also sometimes mean moving that support to a newer version, especially where it doesn’t break compatibility.

    • Spectacle8011@lemmy.comfysnug.space
      link
      fedilink
      arrow-up
      1
      ·
      10 months ago

      That would be the logical conclusion, but I believe Debian uses the old version for years after it’s unsupported and might backport security fixes depending on how severe they are. Either way, I personally wouldn’t trust Debian or Ubuntu to properly fix security issues with a program (or in this case, programming language) that they do not actively develop or maintain themselves.

    • atzanteol@sh.itjust.works
      link
      fedilink
      arrow-up
      4
      ·
      10 months ago

      It will be fine. That’s the entire point of an lts version. Ubuntu back ports security fixes to the old versions.

  • bizdelnick@lemmy.ml
    link
    fedilink
    arrow-up
    3
    arrow-down
    10
    ·
    10 months ago

    LOL they’ll do nothing as usual. Probably they will apply security patches if someone submit them, but I’m unsure.

      • bizdelnick@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        3
        ·
        10 months ago

        It does not even provide security fixes to unpayed users for two years. Except for few “base” packages. BTW is php a “base” package in ubuntu?

        • atzanteol@sh.itjust.works
          link
          fedilink
          arrow-up
          2
          ·
          10 months ago

          Yes.

          $ apt policy php
          php:
            Installed: (none)
            Candidate: 2:8.1+92ubuntu1
            Version table:
               2:8.1+92ubuntu1 500
                  500 http://mirrors.us.kernel.org/ubuntu jammy/main amd64 Packages
                  500 http://mirrors.us.kernel.org/ubuntu jammy/main i386 Packages
                  500 https://mirrors.mit.edu/ubuntu jammy/main amd64 Packages
                  500 https://mirrors.mit.edu/ubuntu jammy/main i386 Packages
                  500 http://apt.pop-os.org/ubuntu jammy/main amd64 Packages
                  500 http://apt.pop-os.org/ubuntu jammy/main i386 Packages
          
            • Avid Amoeba@lemmy.ca
              link
              fedilink
              arrow-up
              2
              ·
              edit-2
              10 months ago

              Installing Debian is not an alternative to the 10-12 year Ubuntu LTS support because Debian doesn’t offer that kind of support. Also as the sibling noted, Ubuntu Pro isn’t needed to get the same support you’re getting from Debian. Ubuntu Pro provides additional support that you don’t get from Debian throughout the support lifespan.

              BTW, not offering 10-12 years of support is totally reasonable for a community distribution. I don’t expect volunteers to be backporting fixes for packages built 12 years ago.

              • bizdelnick@lemmy.ml
                link
                fedilink
                arrow-up
                1
                arrow-down
                2
                ·
                10 months ago

                10-12 years of support attract only those who think they will never need to update. I don’t think so and I update to each released version, each ~2 years. I know that skipping a release is not supported in any distribution. And update cost grows exponentially over time. So thank you, but I don’t need a support for longer than 3 or 4 years. But for that period I want to have security updates for all software I installed, not only “base”. And I want to get them from public repositories hosted on independent mirrors to be sure that I wont be banned by vendor for some reason.

                As for additional support, I don’t need it. I can solve my problems myself and do if faster than Canonical would do. And not only my problems. I also contribute to open source software and I want my contributions to be available to anyone, not only those who pay for support to some company that I have no relationship with.

            • atzanteol@sh.itjust.works
              link
              fedilink
              arrow-up
              2
              arrow-down
              1
              ·
              edit-2
              10 months ago

              There’s no need to register an account with Ubuntu at all. You have no idea what you’re talking about. You don’t need a pro license to get updates for an LTS for 5 years of support. The “base packages” are both the “main” and “restricted” repositories - it isn’t just a few “core libraries” as you seem to think.

              Debian is an excellent distro but I can’t even find out what Debian considers to be covered by their LTS. Their page about it is very vague. I would guess that it’s the same though - “main” repository is what they cover. Similar to Ubuntu.

              • Joe Y ☕️🎮🎄@mastodon.online
                link
                fedilink
                arrow-up
                1
                ·
                10 months ago

                @atzanteol @bizdelnick
                From what I read, the +5 yrs with a Pro account is on top of the LTS 5 yrs support.

                Say Xenial ended last April 2021. With Pro that extends it another 5yrs. With it support ends some time in 2026?

                But that is not +5 from when you got the Pro account. It started ticking the moment Xenial EOL’d. So if I signed up Pro now, my Xenial updates will still end on 2026. Should work for later LTS versions, +5 after base 5 on the same Pro account free up to 5 machines.

              • bizdelnick@lemmy.ml
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                10 months ago

                There’s no need to register an account with Ubuntu at all. You have no idea what you’re talking about. You don’t need a pro license to get updates for an LTS for 5 years of support. The “base packages” are both the “main” and “restricted” repositories - it isn’t just a few “core libraries” as you seem to think.

                Really? So why does apt tell me that I need to get updates for more packages than it has downloaded each time I run apt update? I have latest LTS (22.04) on my laptop. Maybe you have no idea what you are talking about? I could get any updates until recent (year or two? I use that laptop only occasionally, so I don’t remember the exact time), but now it is clear that Canonical goes the same way as RedHat/IBM.

                I would guess that it’s the same though - “main” repository is what they cover. Similar to Ubuntu.

                You are wrong because Debian’s main is not similar to Ubuntu. Debian has no universe repo, all FOSS packages go to main.

                • atzanteol@sh.itjust.works
                  link
                  fedilink
                  arrow-up
                  1
                  arrow-down
                  1
                  ·
                  10 months ago

                  So why does apt tell me that I need to get updates for more packages than it has downloaded each time I run apt update? I have latest LTS (22.04) on my laptop.

                  “I’m going to provide zero information about a problem I’m having, say that I have no idea why it’s happening, and then claim it supports my conclusion - check mate!”