On Di, 21.12.2004, 17:35, Sam Morris wrote: > Florian Weimer wrote: >> * Christian Storch: >> > > Use a backport of PHP 4.3.10. Apparently, there is no other way at >> > > this stage to be sure. (Upstream no longer supports PHP 4.1.x.) >> > >> > What about a kind of fork into php4-1 for woody? >> >> The diff from 4.3.9 to 4.3.10 is about 4,000 lines long. It contains >> other changes, of course, but you still have to isolate the security >> fixes. However, in the past, the PHP team neither provided clear >> descriptions of security bugs, nor were the CVS log messages >> enlightening. From Debian's point of view, the situation gets more >> difficult as other distributions withdraw PHP 4.1.x support. >> >> What's worse, some of the changed parts are not covered by the PHP >> test suite. This means that regression testing is not possible (until >> the update has been installed on a large number of machines). >> >>>Or are there any considerations within security team about patching >>>4.1 in woody? >> >> We are talking about a >> person-week of work, for someone who is not familiar with the PHP code >> base. Significantly less work is required if upstream is somewhat >> supportive and provides a clear description of the bugs, including >> proper test cases. > > I'm sure saying this won't win my any friends, but should software that > the security team is unable to support have a place in a stable release > of Debian? > > The discussion about volitile.debian.org showed that a newer branch of > software can't very well be backported to Stable when upstream drops > support for the version that Stable includes, so that's not an option. > To mention nothing about maintaining the Stability of a stable release.
Don't know if anyone misunderstood my suggestion of "php4-1": I mean a second branch of php in stable with version 4.3.X which could (hopefully) further be supported by secutity team. My opinion: increase security for the price of a shorter time of testing. And a second branch would avoid any unpredictable script problems after careless upgrading. And what about http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285845 It's giving a little hope that it could be possible to backport the security fixes? Christian -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
