| 1 |
Heya, |
| 2 |
|
| 3 |
I'm going to p.mask =dev-lang/php-4* and all packages explicitly |
| 4 |
depending on this version of php (i.e. the whole dev-php4/ category |
| 5 |
(36 packages) and one webapp, www-apps/knowledgetree, bug 194894 [1]) |
| 6 |
next weekend (around Oct 14th). This step is necessary as there is |
| 7 |
hardly any upstream activity anymore. |
| 8 |
|
| 9 |
The last official version of php-4, 4.4.7, dates back to May 3rd and is |
| 10 |
in the same state as php-5.2.2 security-wise (and we all know how many |
| 11 |
issues php-5 had in the past, just have a look at the recently published |
| 12 |
GLSA 200710-02 [2]). |
| 13 |
|
| 14 |
All those security problems, which were fixed in the 5.2 branch, |
| 15 |
possibly apply to the 4.4 branch as well, yet there are no (backported) |
| 16 |
fixes in upstream CVS and there is no sign of an upcoming release |
| 17 |
either. |
| 18 |
This means, if we were to continue php-4 support we would have to do |
| 19 |
the upstream work and compile a list of issues + patches. Upstream |
| 20 |
developers seem to see it the same way -- "if you really want to get it |
| 21 |
done - do it" was one reply when I asked what's up with php-4. Noone |
| 22 |
from our PHP team has the time and motiviation to do that work, and as |
| 23 |
such we are going to mask it (unless someone volunteers to do the work |
| 24 |
and/or upstream becomes active again). |
| 25 |
|
| 26 |
We will still keep php-4 (and all related packages) in the tree until at |
| 27 |
least the end of the year (this is the date where official upstream |
| 28 |
"support" ends) and bump it if (and not "when"...) there are any |
| 29 |
releases. |
| 30 |
|
| 31 |
We advise all users of of php-4 to upgrade to php-5 as soon as possible. |
| 32 |
|
| 33 |
[1] https://bugs.gentoo.org/show_bug.cgi?id=194894 |
| 34 |
[2] http://www.gentoo.org/security/en/glsa/glsa-200710-02.xml |
| 35 |
|
| 36 |
-- |
| 37 |
Christian Hoffmann |
| 38 |
Gentoo PHP herd |
Archives