Hi Paul, Salvatore, I've finally got some time here.
In all honesty, I thought that the pre-negotiated exception for PHP does apply to all future Debian releases, so it did come as surprise that I have to explain this again. The quality of PHP in Debian has increased since we started using upstream versions to fix security bugs. The basic release policy is described here: https://www.php.net/supported-versions.php > Each release branch of PHP is fully supported for two years from its initial > stable release. During this period, bugs and security issues that have been > reported are fixed and are released in regular point releases. > > After this two year period of active support, each branch is then supported > for an additional year for critical security issues only. Releases during > this period are made on an as-needed basis: there may be multiple point > releases, or none, depending on the number of reports. > > Once the three years of support are completed, the branch reaches its end of > life and is no longer supported. A table of end-of-life branches is available. There's also a process for introducing new features to the **major** releases: https://wiki.php.net/rfc, but that doesn't apply here as we are sticking with a single **major** release branch (PHP 8.2); no new features are introduced to the single release track. Upstream makes a new release every four weeks (https://www.php.net/ChangeLog-8.php#8.2.4), but we generally only update to the releases that contain security fixes, and I don't use PU process to lighten the strain on the release team. Apart from the upstream release process, all the PHP releases are regularly tested via external repositories that I maintain, so even the intermediate releases are thoroughly tested by hundreds of thousands or more - the Debian repository has 5+ TB of traffic and 150M+ hits; I have no statistics from the deployment, but any breakages are very quickly reported. When the upstream security support ceases, I generally use Remi Collet's php-security repository to pull the security fixes for the last upstream release, as he's usually swift in preparing those. Unblocking the latest php8.2 (8.2.4-1 and 8.2.5-1 next week) would be appreciated so the next Debian stable releases with the current PHP version. Cheers, Ondrej On Tue, Mar 28, 2023, at 20:46, Salvatore Bonaccorso wrote: Hi Paul, On Sun, Mar 26, 2023 at 01:40:10PM +0200, Paul Gevers wrote: > Hi Ondřej, > > On 26-03-2023 08:36, Ondřej Surý wrote: > > just a quick reply - PHP already has a security (and if I remember > > correctly release) team exception from the last time. So, we already had > > this talk about upstream policies. > > I *suspect* the same, but because of the shear amount of work ongoing for > the release team at the moment, I hope people can help point to the relevant > information instead of us needing to find it. > > It can obviously wait a couple of days, we're not *that* close to releasing > yet. if this helps on the decision: We would, similarly as done for bullseye already, want to follow the upstream releases until supported by upstream and then switch to cherry-pick security fixes only on top. Ondrej can give a more detailed input, so please wait for his reply. Regards, Salvatore -- Ondřej Surý (He/Him) ond...@sury.org
