On Tue, Sep 19, 2017 at 07:59:00PM +0200, rainer@ultra-secure.de wrote:
With PHP, I try to stay as close to upstream as possible. If upstream EOLs a version, it's time to upgrade.
If you want something stable, don't run PHP.
Unfortunately, with that philosophy but not much systems management experience, you end up with custom-compiled and local installs of PHP that get no security updates, particularly as you get version lock-in by the web application developers, or when you have a sysadmin move on to a new position or company.
I think the statement "If you want something stable, don't run PHP" is a very wise statement though.