On 15-May-06, at 11:50 AM, Stefan Esser wrote:
Hey,
The code in the release did not change on bit, the only change was
the
inclusion of the missing phar file, this hardly warrants 5.1.5 or
even
5.1.4pl1. This will have no impact of people who have already
downloaded and installed PHP, nor will this impact people who have
yet
to download PHP.
It will have an effect on everyone using f.e. gentoo linux or BSD port
system, because mysteriously the hash of the tarball changed and
people
will get warnings about modified tarballs. It also has the effect
that I
am getting emails from people asking me if PHP.net was backdoored,
because the MD5 hash changed....
And if you want to change tarballs and don't change the version number
(which is considered very bad by many people) then atleast WARN people
about the modified tarball. A simple message: tarball was missing PEAR
and was therefore rerolled is not so bad...
I'll add that to the 5.1.4 release message on the front page, that
was an oversight on my part.
The patches for security holes are usually in within a week, if you
want to fetch them you can do so either in a form of a PHP
snapshot of
a specific patch from CVS. To make releases every-time we get
security
fault is impractical.
First the zend_hash_del() bug caused remote code execution in a
bunch of
popular PHP scripts. Secondly most open source projects release
security
bugfix releases. PHP.net on the other hand doesn't do this anymore.
There are no security only fixes anymore. Instead we release not
properly tested new versions of PHP that break tons of servers.
(fastcgi
....)
"Tons" is a very quantitate number ;-), while fastcgi is definitely a
used SAPI, it is no where near the usage of the Apache sapi or even
plain cgi. According to a basic Google Search mod_php is about 8
times more popular then CGI/FastCGI and of the 24,000 found phpinfo()
for the latter I'd wager no more then 1/2 actually use FastCGI.
And well... I still see no PHP 4.4.3 on PHP.net... However we still
offer the PHP 4.4.2 tarball (knowing that it has critical security
holes). So either we release a security FIX release or we kick the
tarball and declare PHP4 unsupported from now on.
PHP 4 is still supported, no one is suggesting that we discontinue
it. Derick can better comment on when he plans on making the release,
but it will definitely happen.
Ilia
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
