[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
if it makes sense to demote libapache2-mod-php and promoting the new package, that sounds ok. but that's a seed change for ubuntu-server. Re-assigning for feedback ** Package changed: php7.0 (Ubuntu) => php7.2 (Ubuntu) ** Summary changed: - [MIR] php7.0 (php7.0-fpm binary) + [MIR] php7.2 (php7.2-fpm binary) ** Changed in: php7.2 (Ubuntu) Assignee: Matthias Klose (doko) => Ubuntu Server (ubuntu-server) ** Changed in: php7.2 (Ubuntu) Assignee: Ubuntu Server (ubuntu-server) => Matthias Klose (doko) ** Changed in: php7.2 (Ubuntu) Assignee: Matthias Klose (doko) => Ubuntu Server (ubuntu-server) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.2 (php7.2-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.2/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
Thanks for the clarification Robie! Btw, I agree that it's totally reasonable not to move packages to a different component after release. That's why I asked if php7.0-fpm will be moved to main in the next LTS release (18.04). I still think that it would be great to have all packages that are built from src:php7.0 in main (with guaranteed updates) instead of spreading it out over different components... -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
On Tue, Jun 13, 2017 at 12:36:40PM -, JK wrote: > So, my remaining questions are: > - how long will "php7.0-fpm" receive security updates and critical bug-fixes? At least until 16.04 is EOL (April 2021), but see my answer to the next question. > - what does "community supported" actually mean? Is it officially defined somewhere? It means that Canonical make no firm commitment to provide updates, but all acceptable updates prepared by community members will be gratefully accepted. If you are a developer, see https://wiki.ubuntu.com/StableReleaseUpdates and https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation for instructions on how to prepare and submit these. > - how long are packages from universe actually supported and what kind of updates (security, critical bugs, etc.) do they receive? The same as for main, except that we rely on developers volunteering updates (both for security and critical bugs) rather than having someone at Canonical committed to providing them. I should add: * It would be quite unusual to move php7.0-fpm to main *in 16.04*. Usually the main/universe split and associated commitments are decided before release, and 16.04 has already been released. A change to move php7.0-fpm, if it were to happen, would affect future releases, not past ones. * In practice, most PHP vulnerabilities are likely to affect more than just php7.0-fpm. Since php7.0-fpm is built from the same src:php7.0, it is likely that you'll get updates from Canonical anyway, since an update to the source is likely to be necessary to update the binary packages built from the same source that _are_ in main. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
After some more research, I think that I partly mixed up the "-security vs -updates" with the "main vs. universe" issue. If I understood correctly, -updates contains package updates that are not security related while -security contains only security related updates, but these pockets are NOT related to the "components" (main, universe, etc.), i. e. packages from universe are also updated through -security and -updates pockets, as long as they are supported / maintained. If that's correct, then please ignore my question regarding the unattended- upgrades ;-) So, my remaining questions are: - how long will "php7.0-fpm" receive security updates and critical bug-fixes? - what does "community supported" actually mean? Is it officially defined somewhere? - how long are packages from universe actually supported and what kind of updates (security, critical bugs, etc.) do they receive? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
Thanks for your fast response, Nish! > Well, that's odd, but as you found in the related bug, also expected > (with the older ubuntu-support-status command). I don't think it's wrong in case of "php7.0-fpm", because this package is in universe and therefore actually _not_ "officially supported by the security team", as mentioned here: https://wiki.ubuntu.com/SecurityTeam/FAQ. > What is "this" problem in this sentence? That a tool mentions unsupported status? No, the problem is that "php7.0-fpm" is in universe and therefore "not officially supported by the security team", while it's at the same time a very important component of most web servers. Unfortunately, I couldn't find any official statement explaining what "unsupported" (or "community supported", as it's called now) actually means. On my 16.04 server, I noticed that I did not receive any updates to "php7.0-fpm" (and the other packages listed above) from "xenial- security" after the first 9 month. I know that there are updates available in "xenial-updates". But, like probably most LTS server administrators, I've only enabled unattended upgrades from "xenial- security" on my server and therefore did not receive the php7.0-XXX updates for a long time... I've now also enabled unattended upgrades from "xenial-updates", hoping that I get security fixes for my "php7.0-XXX" packages from there, but I'm not sure if that will be the case, because php7.0-fpm is in universe. Furthermore, I'm not sure if enabling unattended upgrades from "xenial-updates" may cause problems, because it does not only contain security fixes... what's is considered "best practice" in this case? > Again, I think you're just misapprehending what is 'supported' (in that > there is someone paying attention? -- I'm not sure what you expect, > exactly) vs. what is in main? OK, I'll try to make it more clear. This is what I understood so far: according to the source mentioned above, "officially supported" means (in case of Xenial) that a package receives regular security fixes through "xenial-security" for 5 years, while "community supported" means something like "There may be updates, but it's not guaranteed. They may be released shortly after upstream, but maybe only 2 years later. Also, there is no clear distinction between security fixes and other updates." The latter seems to be true for all packages in universe, no matter if they come from "xenial-updates" or any other pocket. Only the packages in main are "officially supported". And therefore my conclusion is: packages in "universe" are not reliably updated after 9 months and should therefore not be installed on a (public) web server that is only upgraded every 2 to 5 years. This pretty unrealistic for "php7.0-fpm" (I simply need it), that's why I like to have it in main. Please correct me if I'm wrong (some sources / official statements would be nice too)! I really hope that I'm wrong in this case :-) > To be clear, regardless of what `ubuntu-support-status` says, it's not > like php7.0-fpm is going to stop being available or bugs fixed (there > aren't that many filed, afaict). Sounds good, but what does that mean exactly? How long will I receive updates for "php7.0-fpm" on my xenial server? 5 years? Will these updates contain only security fixes? Will they be released shortly after upstream fixes? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
On 12.06.2017 [13:25:19 -], JK wrote: > It's almost a year since the last comment... Any news on this? I've only > recently noticed that "ubuntu-support-status --show-unsupported | grep > php7" shows php7.0-fpm (and other PHP packages) as unsupported in 16.04 > LTS: > > > php-zip php7.0-fpm php7.0-imap php7.0-intl php7.0-mbstring > php7.0-mcrypt php7.0-xsl php7.0-zip Well, that's odd, but as you found in the related bug, also expected (with the older ubuntu-support-status command). > I did not find any other usable information on this topic beside this > bug report. Most people probably don't even know about this problem. What is "this" problem in this sentence? That a tool mentions unsupported status? > It's easy to overlook though, since the "php7.0" meta-package is in main > and "apt-cache show php7.0" shows it as fully supported: > > > Package: php7.0 > > Priority: optional > > Section: php > [...] > > Depends: php7.0-fpm | libapache2-mod-php7.0 | php7.0-cgi, php7.0-common > [...] > > Supported: 5y Ignore the Supported value, as mentioned in the first comment in the bug you linked to later. > And, what's even more confusing, it also depends on "php7.0-fpm". It depends on a disjunction of three packages. As long as one of them is in main (in this case libapache2-mod-php7.0) there is no issue. > Imo, most people who see this will think: "OK, PHP7 has 5 year > support, so I'm safe with my Ubuntu LTS". But in fact, they are not... > at least if they use FPM (what they probably do). What is "safe" and why are they not? Are you misunderstanding what ubuntu-support-status says? I'm very confused, because you already found the other bug that says the output is wrong. > Like most people here, I think that php7-fpm should definitely be > supported for the full LTS period, because it's a basic component of > most web servers. How is the chance that is will be the case in the next > LTS version? Again, I think you're just misapprehending what is 'supported' (in that there is someone paying attention? -- I'm not sure what you expect, exactly) vs. what is in main? > BTW: this bug report is slightly related, because it deals with the > problem of the different support timespans in LTS and the bad image > Ubuntu LTS has because of it: https://bugs.launchpad.net/ubuntu/+source > /update-manager/+bug/1574670 Basically, the bug you are reporting, as far as I can tell, is this one, not the one against PHP. It feelsl ike it overloads the term 'supported'. As far as I can tell, as that bug documents, `ubuntu-support-status` reflects the main/universe split, but in an unclear way. It's been fixed in 16.10+, I'm not sure why/if it will be backported to older releases as Bug #15746709 mentions. To be clear, regardless of what `ubuntu-support-status` says, it's not like php7.0-fpm is going to stop being available or bugs fixed (there aren't that many filed, afaict). -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to php7.0 in Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
On 12.06.2017 [13:25:19 -], JK wrote: > It's almost a year since the last comment... Any news on this? I've only > recently noticed that "ubuntu-support-status --show-unsupported | grep > php7" shows php7.0-fpm (and other PHP packages) as unsupported in 16.04 > LTS: > > > php-zip php7.0-fpm php7.0-imap php7.0-intl php7.0-mbstring > php7.0-mcrypt php7.0-xsl php7.0-zip Well, that's odd, but as you found in the related bug, also expected (with the older ubuntu-support-status command). > I did not find any other usable information on this topic beside this > bug report. Most people probably don't even know about this problem. What is "this" problem in this sentence? That a tool mentions unsupported status? > It's easy to overlook though, since the "php7.0" meta-package is in main > and "apt-cache show php7.0" shows it as fully supported: > > > Package: php7.0 > > Priority: optional > > Section: php > [...] > > Depends: php7.0-fpm | libapache2-mod-php7.0 | php7.0-cgi, php7.0-common > [...] > > Supported: 5y Ignore the Supported value, as mentioned in the first comment in the bug you linked to later. > And, what's even more confusing, it also depends on "php7.0-fpm". It depends on a disjunction of three packages. As long as one of them is in main (in this case libapache2-mod-php7.0) there is no issue. > Imo, most people who see this will think: "OK, PHP7 has 5 year > support, so I'm safe with my Ubuntu LTS". But in fact, they are not... > at least if they use FPM (what they probably do). What is "safe" and why are they not? Are you misunderstanding what ubuntu-support-status says? I'm very confused, because you already found the other bug that says the output is wrong. > Like most people here, I think that php7-fpm should definitely be > supported for the full LTS period, because it's a basic component of > most web servers. How is the chance that is will be the case in the next > LTS version? Again, I think you're just misapprehending what is 'supported' (in that there is someone paying attention? -- I'm not sure what you expect, exactly) vs. what is in main? > BTW: this bug report is slightly related, because it deals with the > problem of the different support timespans in LTS and the bad image > Ubuntu LTS has because of it: https://bugs.launchpad.net/ubuntu/+source > /update-manager/+bug/1574670 Basically, the bug you are reporting, as far as I can tell, is this one, not the one against PHP. It feelsl ike it overloads the term 'supported'. As far as I can tell, as that bug documents, `ubuntu-support-status` reflects the main/universe split, but in an unclear way. It's been fixed in 16.10+, I'm not sure why/if it will be backported to older releases as Bug #15746709 mentions. To be clear, regardless of what `ubuntu-support-status` says, it's not like php7.0-fpm is going to stop being available or bugs fixed (there aren't that many filed, afaict). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
It's almost a year since the last comment... Any news on this? I've only recently noticed that "ubuntu-support-status --show-unsupported | grep php7" shows php7.0-fpm (and other PHP packages) as unsupported in 16.04 LTS: > php-zip php7.0-fpm php7.0-imap php7.0-intl php7.0-mbstring php7.0-mcrypt php7.0-xsl php7.0-zip I did not find any other usable information on this topic beside this bug report. Most people probably don't even know about this problem. It's easy to overlook though, since the "php7.0" meta-package is in main and "apt-cache show php7.0" shows it as fully supported: > Package: php7.0 > Priority: optional > Section: php [...] > Depends: php7.0-fpm | libapache2-mod-php7.0 | php7.0-cgi, php7.0-common [...] > Supported: 5y And, what's even more confusing, it also depends on "php7.0-fpm". Imo, most people who see this will think: "OK, PHP7 has 5 year support, so I'm safe with my Ubuntu LTS". But in fact, they are not... at least if they use FPM (what they probably do). Like most people here, I think that php7-fpm should definitely be supported for the full LTS period, because it's a basic component of most web servers. How is the chance that is will be the case in the next LTS version? BTW: this bug report is slightly related, because it deals with the problem of the different support timespans in LTS and the bad image Ubuntu LTS has because of it: https://bugs.launchpad.net/ubuntu/+source /update-manager/+bug/1574670 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
Well it's about whether Canonical is on the hook for support or not. Ideally the security and server teams don't have to support two versions of the module. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
It's the same source package, I don't think we need to demote libapache2 -mod-php7.0. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
Doko, do you have an opinion here? I'm tempted to make the switch based on Seth's comments, assuming that we can demote libapache2-mod-php7.0. ** Changed in: php7.0 (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) => Matthias Klose (doko) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1267255] Re: [MIR] php7.0 (php7.0-fpm binary)
There appear to be 14 bugs open that mention FPM currently (https://launchpad.net/ubuntu/+source/php5/+bugs?field.searchtext=fpm), some of which look like they can be ignored. * #1283478 - Affects FPM. Crash when non-default configuration used. Raised upstream with PHP but no activity. * #1288129 - Affects FPM. Raised upstream, patch available, brief review by PHP dev but no activity since May. * #1385050 - Affects FPM on Trusty. More information needed. * #1463076 - May have been fixed in Debian? Version 5.5.10+dfsg-1 changelog has the note "Implement more robust way of handling php5-fpm reopen logs from logrotate" but there's no Debian bug linked so can't compare this issue against it. Bugs that can be ignored: * #1131115 - Incomplete bug. * #1352617 - Fixed in Trusty. * #1406026 - Incomplete bug. * #1334572 - Unclear where issue lies - apparent packaging issue, but related to a conffile automatically marked as such since it's in /etc, so not related to FPM itself. * #1475309 - Bug with opcache, not FPM * #1325083 - Incomplete bug. * #195 - Incomplete bug. * #1407670 - Incomplete bug. * #1430033 - Error on installation, log appears to show problem with php5-cli installation, not php5-fpm. * #1439925 - Issue with php5-mysql & php5-mysqlnd packaging on Trusty, not php5-fpm By my estimation, there are just three or four bugs that need attention, which doesn't look that bad, unless I've missed something? Just a matter of putting pressure on PHP for fixes for the first two, and somehow reproducing the second two, or marking as incomplete if no further information is provided. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs