Excerpts from Johannes Schlüter's message of Mon Mar 26 16:09:20 -0700 2012: > On Mon, 2012-03-26 at 12:00 -0700, Clint Byrum wrote: > > > > Our hands are tied, as the security team still does not feel > > comfortable shipping a PHP without Suhosin. Perhaps more can be done > > to convince the world that this is a safe thing to do now, but for > > now, we're taking the extremely conservative stance and shipping > > 5.3.10 with the Suhosin patch. > > > > Thanks everyone for chiming in, and especially thanks to Ondrej for > > pushing hard to get things tested and rebuilt. > > Thinking loud: One could also ship both. Yes this doubles the effort but > gives users a choice :-)
This simply won't happen in the main archive of Ubuntu. The whole point of having a version from the archive in an LTS is that it receives security updates for 5 years, regardless of upstream releasing fixes or not. If users want something unsupported, an effort can be made to setup a PPA: https://help.launchpad.net/Packaging/PPA In fact, Ondrej already went through the trouble of creating one for testing purposes: https://launchpad.net/~ondrej/+archive/php5 Ubuntu's paid (by Canonical) security team does not have the resources to support two versions of anything really. Often times two versions of something are provided (like python 2.6 and 2.7) during a transition like we see in PHP right now. However, one is generally in universe, which means it is only supported by the community. I think the lesson here is to get the necessary bits from Suhosin into PHP's core so that users can feel safe when using stock PHP, rather than needing to wait for the good and generous folks at the hardened PHP project to catch up. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
