Am 2017-09-19 20:06, schrieb Jonathan Billings: > On Tue, Sep 19, 2017 at 07:59:00PM +0200, rainer at ultra-secure.de wrote: >> With PHP, I try to stay as close to upstream as possible. >> If upstream EOLs a version, it's time to upgrade. >> >> If you want something stable, don't run PHP. > > Unfortunately, with that philosophy but not much systems management > experience, you end up with custom-compiled and local installs of PHP > that get no security updates, particularly as you get version lock-in > by the web application developers, or when you have a sysadmin move on > to a new position or company. > Yep. We've got a lot of those "abandoned" PHP webs that can't be moved because they only run on anything between PHP 4.4 and 5.5 Usually it's Typo3 or so. To move from Typo3 4.3 on PHP 5.3 to PHP 7, you'd have to upgrade to Typo3 6.something on that PHP5.3 host, then move that installation to a PHP 5.5 host, where you could upgrade to Typo3 7 LTS, which you could then move to a PHP 7 host. Obviously, none of the custom extensions and a lot of "hacks" would survive even the first upgrade/move - and thankfully usually everybody is sane enough to even think about doing that. You'd have to start from scratch, which would cost the customer real money (would have to pay some agency to re-design the website), so it never gets done. This is especially true for customers from the hospitality sector, which are especially stingy for any kind of expenditures. Because, as everybody can see, the website still runs and as such it does not need an upgrade. > I think the statement "If you want something stable, don't run PHP" is > a very wise statement though. PHP is not stable in the same sense as RHEL 7 is stable. On RHEL, it's sort-of stable - but only for a rather small amount of PHP modules. And as such, it's not (IMO) useful for anything but legacy stuff that you can't move or upgrade.