Thanks for your fast response, Nish! > Well, that's odd, but as you found in the related bug, also expected > (with the older ubuntu-support-status command).
I don't think it's wrong in case of "php7.0-fpm", because this package is in universe and therefore actually _not_ "officially supported by the security team", as mentioned here: https://wiki.ubuntu.com/SecurityTeam/FAQ. > What is "this" problem in this sentence? That a tool mentions unsupported status? No, the problem is that "php7.0-fpm" is in universe and therefore "not officially supported by the security team", while it's at the same time a very important component of most web servers. Unfortunately, I couldn't find any official statement explaining what "unsupported" (or "community supported", as it's called now) actually means. On my 16.04 server, I noticed that I did not receive any updates to "php7.0-fpm" (and the other packages listed above) from "xenial- security" after the first 9 month. I know that there are updates available in "xenial-updates". But, like probably most LTS server administrators, I've only enabled unattended upgrades from "xenial- security" on my server and therefore did not receive the php7.0-XXX updates for a long time... I've now also enabled unattended upgrades from "xenial-updates", hoping that I get security fixes for my "php7.0-XXX" packages from there, but I'm not sure if that will be the case, because php7.0-fpm is in universe. Furthermore, I'm not sure if enabling unattended upgrades from "xenial-updates" may cause problems, because it does not only contain security fixes... what's is considered "best practice" in this case? > Again, I think you're just misapprehending what is 'supported' (in that > there is someone paying attention? -- I'm not sure what you expect, > exactly) vs. what is in main? OK, I'll try to make it more clear. This is what I understood so far: according to the source mentioned above, "officially supported" means (in case of Xenial) that a package receives regular security fixes through "xenial-security" for 5 years, while "community supported" means something like "There may be updates, but it's not guaranteed. They may be released shortly after upstream, but maybe only 2 years later. Also, there is no clear distinction between security fixes and other updates." The latter seems to be true for all packages in universe, no matter if they come from "xenial-updates" or any other pocket. Only the packages in main are "officially supported". And therefore my conclusion is: packages in "universe" are not reliably updated after 9 months and should therefore not be installed on a (public) web server that is only upgraded every 2 to 5 years. This pretty unrealistic for "php7.0-fpm" (I simply need it), that's why I like to have it in main. Please correct me if I'm wrong (some sources / official statements would be nice too)! I really hope that I'm wrong in this case :-) > To be clear, regardless of what `ubuntu-support-status` says, it's not > like php7.0-fpm is going to stop being available or bugs fixed (there > aren't that many filed, afaict). Sounds good, but what does that mean exactly? How long will I receive updates for "php7.0-fpm" on my xenial server? 5 years? Will these updates contain only security fixes? Will they be released shortly after upstream fixes? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1267255 Title: [MIR] php7.0 (php7.0-fpm binary) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1267255/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
