On Sat, 10 Aug 2019 10:17:44 +0200, Martin Waschbüsch stated: >Hi all, > >At least the last two versions of PHP, 5.6 & 7.0, were removed from >ports as soon as (or even shortly before) they were no longer actively >maintained upstream. I am unsure what the exact reasoning behind this >was, but I do not think it is a good idea moving forward: > >I suppose it is true that outdated & no longer supported versions of >PHP could be seen as a security risk. So far so good. > >However, if, for whatever reason (and I think there are legitimate >ones), I still need to use a now obsolete version of PHP, having them >removed from ports effectively makes it harder for me to keep >everything else up-to-date. I might have to stick with an old ports >revision so I cannot update other packages. If I just keep PHP as is, >and update other packages, I cannot easily switch to a new version of >FreeBSD itself, because I'd have to go back to an old revision of >ports (hopefully working with the OS version I updated to) to compile >PHP and then do other packages. Libraries / dependencies may change >and break my PHP, etc. So, on top of possible security concerns for >the outdated software I use, I basically get an overall less secure / >stable system to boot. > >Now, I am not suggesting we leave every old and outdated PHP version >in ports, but why remove a port just days after it received its last >security update upstream? (With PHP 5.6 it was actually removed from >ports before it got its last update upstream). > >Would it not be better to have, say, the last two versions before >current stable still in ports but with a huge disclaimer saying: use >at your own risk, etc.? > >What do y'all think? > >Martin
If I might be allowed to interpolate, I believe that continuing to expose obsolete versions of software in the 'ports' system is a bad Idea. It is enabling the use of software, that for one reason or another has been superseded by a newer and possibly safer or more mature version. Usually, when a version or application is going to be removed from the 'ports' system, it is duly noted well in advance. I would recommend that we set a hard number, say 6 months or one year at max before said software is removed. That should give even the most procrastinating user ample time to render his/her system ready for that inevitability. It they have not accomplished that with the set time frame, they probably were never serious about doing it. Just my 2¢. -- Carmel
pgpGaPp09iXyS.pgp
Description: OpenPGP digital signature
