Knowing the significant issue this posed for Slackware-14.2 (and the protracted development of -15), PHP being a major component in most scenarios featuring Slackware as a web server, I feel compelled to ask this:

Slackware-15.0 ships PHP-7.4.
The distro itself was launched on February 3rd 2022, about 2 months after php-7.4 generation has ended active support and entered security support only which will only last until November 2022. Also this being the last iteration of the 7.x generations.

PHP-8.0 and PHP-8.1 are under active support&development with a longer projected overall support lifetime.
Also PHP-8.x introduses various changes that may require PHP apps working on 7.x be adapted (some with significant rewrites) to work on it.

It is immediately obvious to anyone running a webserver on Slackware-15.0 that the shipped PHP version will be out of support in less then a year and future potentially discovered vulnerabilities won't be fixed.

The addition of php8.0 and php8.1 in /extra is a very nice improvement, however with the major caveat that packages under /extra don't get security updates.

Sysadmins would then have the following options:

• continue running the old and unsupported version of PHP, even after it becomes known to be vulnerable
• take the packages from /extra and manage future security updates by rebuilding from source themselves
• presume -current will have PHP-8 (at distro level) at that time, take the build script from there, including changing any other dependency as necessary to get it built and support future security updates by themselves
• hack build script for PHP-8 and necessary dependencies and support future updates by themselves

With previous experience having had to resort to a combination of the last two points above, knowing the Slackware philosophy for stability and consistency (with which I agree, most of it, with few exceptions though) I have to ask:

How will Slackware support PHP beyond 28 Nov 2022?

• freeze PHP version, leaving systems open to future discovery of vulnerabilities
• upgrade PHP to generation 8 (like 8.0)
• provide security updates for 8.0 and 8.1 from /extra
• other?

Thank you.

FWIW in production I'm using php-7.4.x in /n/ and php80 from /extra and I can see that also the later one got security updates
so maybe your question is already answered?

1 members found this post helpful.

Don't they? Methinks you'd best look at the ChangeLog...

I was not aware until pointed out just now that packages under /extra get security updates.
AFAIK security updates came under /patches and this covers only what is distributed under /slackware.

I sincerely hope that security updates on /extra are a rule (perhaps it deserves a bit more highlight, don't remember reading anywhere that /extra officially get updates) not an exception or occasional occurance.

Having php80 and php81 in /extra is an excellent bonus for which I am thankful to Patrick for including.

I have installed PHP 8.1 from the /extra folder and when doing a "php -v", it shows this error:

PHP Warning: PHP Startup: Unable to load dynamic library 'xmlrpc' (tried: /usr/lib64/php/extensions/xmlrpc (/usr/lib64/php/extensions/xmlrpc: cannot open shared object file: No such file or directory), /usr/lib64/php/extensions/xmlrpc.so (/usr/lib64/php/extensions/xmlrpc.so: cannot open shared object file: No such file or directory)) in Unknown on line 0
PHP 8.1.8 (cli) (built: Jul 7 2022 13:35:31) (ZTS)
Copyright (c) The PHP Group
Zend Engine v4.1.8, Copyright (c) Zend Technologies
with Zend OPcache v8.1.8, Copyright (c), by Zend Technologies


This extension should be included in the package?
Or is it a library outside of the main Slackware/extra package?

The xmlrpc extension has been removed in php 8.x; i guess you didn't update your php.ini.

Thanks for your answer.

Now that you tell me, I found this link:
https://php.watch/versions/8.0/xmlrpc

Quote:

Originally Posted by ctrlaltca The xmlrpc extension has been removed in php 8.x; i guess you didn't update your php.ini.