Knowing the significant issue this posed for Slackware-14.2 (and the protracted development of -15), PHP being a major component in most scenarios featuring Slackware as a web server, I feel compelled to ask this:
Slackware-15.0 ships PHP-7.4.
The distro itself was launched on February 3rd 2022, about 2 months after php-7.4 generation has ended active support and entered security support only which will only last until
November 2022. Also this being the last iteration of the 7.x generations.
PHP-8.0 and
PHP-8.1 are under active support&development with a longer projected overall support lifetime.
Also PHP-8.x introduses various changes that may require PHP apps working on 7.x be adapted (some with significant rewrites) to work on it.
It is immediately obvious to anyone running a webserver on Slackware-15.0 that the shipped PHP version will be out of support in less then a year and future potentially discovered vulnerabilities won't be fixed.
The addition of php8.0 and php8.1 in /extra is a very nice improvement, however with the major caveat that packages under /extra don't get security updates.
Sysadmins would then have the following options:
- continue running the old and unsupported version of PHP, even after it becomes known to be vulnerable
- take the packages from /extra and manage future security updates by rebuilding from source themselves
- presume -current will have PHP-8 (at distro level) at that time, take the build script from there, including changing any other dependency as necessary to get it built and support future security updates by themselves
- hack build script for PHP-8 and necessary dependencies and support future updates by themselves
With previous experience having had to resort to a combination of the last two points above, knowing the Slackware philosophy for stability and consistency (with which I agree, most of it, with few exceptions though) I have to ask:
How will Slackware support PHP beyond 28 Nov 2022?
- freeze PHP version, leaving systems open to future discovery of vulnerabilities
- upgrade PHP to generation 8 (like 8.0)
- provide security updates for 8.0 and 8.1 from /extra
- other?
Thank you.