Martin Waschbüsch wrote on 2019/08/16 09:27:
Thank you for your input.
While I agree that PHP, in general, has been and still is a source of lots of
security issues, I do not think this is the central point in this debate.
There might be a high probability of security issues that are PHP related for
all I know, but again, the real question is:
Why drop a package that has just had recent security updates after a couple of
weeks?
I pointed out that I do not think lack of upstream development is in and of
itself sufficient grounds for doing so. At the very least, while it may be
unwise to use a now obsolete version of PHP, I doubt if an argument along the
lines of 'We removed this from ports. It's for your own good' is a very good
one. (For a number of reasons).
+1
The only other arguments I got so far seem to be about resources. I can
understand that. With limited resources you have to prioritize and something
will have to give.
Now, in a reply to Adam, I asked specifically if there were pointers that would
help me evaluate how much effort is really involved.
(My working theory being that I so far underestimate the work required to do
this.)
The effort to keep 5.6 in a tree for a few more months would be ... very
little. It was done in quaterly branch after 5.6 was removed from head
branch. I did my own updated version of the port (and extensions) from
5.6.39 to 5.6.40 without any issues - running on couple of machines till
this day.
Also, I asked if people were open to letting a group of people interested in
doing so continue to maintain an old version of php so that it does not have to
be removed from ports.
Kurt suggested that as a feasible way forward and I agree.
Earlier, Adam seemed open to discussing a way forward as well, but I am not
sure that still is the case.
Since I do not yet feel comfortable that I correctly estimate the amount of
work, if enough people can be found to volunteer for this, but I remain hopeful.
All this notwithstanding, would you be willing to exchange hints & ideas about
securing (as far as possible) PHP setups some more, off-list?
I'd like to ask some more about your approach.
You can put webserver, or just php-fpm inside jail and then just nullfs
mount the directory tree with websites on partition with noexec mount
flag .. to name a few.
Kind regards
Miroslav Lachman
_______________________________________________
freebsd-ports@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-ports
To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org"