* Christian Storch: >> Use a backport of PHP 4.3.10. Apparently, there is no other way at >> this stage to be sure. (Upstream no longer supports PHP 4.1.x.) >> > > What about a kind of fork into php4-1 for woody?
The diff from 4.3.9 to 4.3.10 is about 4,000 lines long. It contains other changes, of course, but you still have to isolate the security fixes. However, in the past, the PHP team neither provided clear descriptions of security bugs, nor were the CVS log messages enlightening. From Debian's point of view, the situation gets more difficult as other distributions withdraw PHP 4.1.x support. What's worse, some of the changed parts are not covered by the PHP test suite. This means that regression testing is not possible (until the update has been installed on a large number of machines). > Or are there any considerations within security team about patching > 4.1 in woody? Probably lack of time. Fixing these bugs is not particularly rewarding (like the Mozilla or Samba bugs). We are talking about a person-week of work, for someone who is not familiar with the PHP code base. Significantly less work is required if upstream is somewhat supportive and provides a clear description of the bugs, including proper test cases. Most people I know have already switched to 4.3.x anyway, which makes it less likely that someone is going to invest so much work. On the other hand, it's certainly a great way to become one of the unsung heroes of Debian. 8-) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
