Web based family history software

Question PHP version false alarm

  • martin1
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 months 2 weeks ago #1 by martin1
PHP version false alarm was created by martin1
Hi!

webtrees tries to guess supported PHP versions.
But upstream PHP versions are not relevant for most Linux installations, so that warning is wrong. E. g. for PHP 7.4
Updates are managed by Linux distributions. Maybe that warning should be removed.

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago - 11 months 2 weeks ago #2 by Franz Frese
Replied by Franz Frese on topic PHP version false alarm
you are wrong. webtrees messages concerning installed / used php - versions are relevant. It has simply to do with the php - features that webtress (or used libraries) uses.
Last edit: 11 months 2 weeks ago by Franz Frese.

Please Log in or Create an account to join the conversation.

  • martin1
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 months 2 weeks ago - 11 months 2 weeks ago #3 by martin1
Replied by martin1 on topic PHP version false alarm
Webtress requires PHP 7.4 to 8.3!
-> webtrees.net/install/

and btw I meant that security warning....
Last edit: 11 months 2 weeks ago by martin1.

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #4 by Franz Frese
Replied by Franz Frese on topic PHP version false alarm
Am I blind?
I do not see a warning.

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #5 by Warius
Replied by Warius on topic PHP version false alarm
Look at "Control panel / Server information" there you can see which version webtrees effectively uses

e.g. in my installationPHP Version 8.3.0

signature

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #6 by Franz Frese
Replied by Franz Frese on topic PHP version false alarm
I know, but that has nothing to do with the title of this thread.

Please Log in or Create an account to join the conversation.

  • bertkoor
  • Offline
  • Platinum Member
  • Platinum Member
  • Greetings from Utrecht, Holland
More
11 months 2 weeks ago #7 by bertkoor
Replied by bertkoor on topic PHP version false alarm

webtrees tries to guess supported PHP versions.

No it does not. See www.php.net/supported-versions.php
PHP 7.4 for instance went end-of-life in December 2022. Ubuntu might have backported some patches to security vulnerabilities, but do you want to risk that? As robstone wrote on reddit :

robstone@reddit wrote: given Ubuntu's penchant for leaving packages in their repos without updates for known CVEs, my confidence in that actually happening is somewhat low.


Do you know how long the list is? It's rather impressive ...

Maybe that warning should be removed.
webtrees has no knowledge of how the underlying server is exactly managed. Perhaps you find it obsolete, but for others it is not. It's just a warning, ignore it if you want.

stamboom.BertKoor.nl runs on webtrees v2.1.20

Please Log in or Create an account to join the conversation.

  • martin1
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 months 2 weeks ago #8 by martin1
Replied by martin1 on topic PHP version false alarm
Ubuntu got most of its packages from Debian and they are still supporting PHP 7.3:
packages.debian.org/search?keywords=php&...uite=all§ion=all

The upstream php version roadmap is useless, because Linux does not work like this. It is using own packages.
So a warning "no updates anymore" is wrong.

Please Log in or Create an account to join the conversation.

  • norwegian_sardines
  • Offline
  • Platinum Member
  • Platinum Member
More
11 months 2 weeks ago - 11 months 2 weeks ago #9 by norwegian_sardines
Replied by norwegian_sardines on topic PHP version false alarm
1) Always title your threads with words that mean something to others looking at the thread.  In many cases this means providing the error message!  Your title does not have meaning to this thread! 
2) PHP 7.3 is not supported any more.  So YES the message "no updates any more" is correct!  Here is the current supported PHP versions! If the packages provided via you Linux version make updates outside of the PHP support then the package is not 7.3 it is 7.3.x. or 7.3+  But it still is important to be on the current PHP version so that any new or deprecated functions are also maintained.  webtrees may use or remove functions not supported in the current release of PHP!
 

Ken
Last edit: 11 months 2 weeks ago by norwegian_sardines.

Please Log in or Create an account to join the conversation.

  • martin1
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 months 2 weeks ago #10 by martin1
Replied by martin1 on topic PHP version false alarm
So you are compiling your PHP yourself? Otherwise you are wrong, learn how Linux works:
en.wikipedia.org/wiki/Package_manager


 

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #11 by Franz Frese
Replied by Franz Frese on topic PHP version false alarm
No. You are wrong. webtrees simply uses an installed php. That is all and there is nothing more to say and I will not.

Please Log in or Create an account to join the conversation.

More
11 months 2 weeks ago #12 by fisharebest
Replied by fisharebest on topic PHP version false alarm
I guess you are talking about this message:

"Your web server is using PHP version %s, which is no longer receiving security updates. You should upgrade to a later version as soon as possible."

This is based on the EOL date of your PHP version, as listed in post #9.

It's a warning, not an error. Nothing will stop working. It is only shown to admins on the control panel. Feel free to ignore it.

When you talk about "linux distributions managing packages", then I guess you are talking about Remi Collet's php-security-backport project.

e.g. github.com/remicollet/php-src-security/c...-security-backports/

(Remi works for RedHat and produces the PHP packages for RedHat, CentOS and other distributions).

Yes, he collects security fixes and backports them to older versions.

Does he catch all security fixes? Probably not.
Does he look for and fix issues that only exist in older versions? No.

Why do these packages exist? Because RedHat commits to providing stable systems for a decade. If your company has spent tens of millions building a website that only runs in PHP 7.4, then they may make a business decision to keep running it for a decade on PHP 7.4 because rolling-rewrites for newer PHP versions is too difficult/expensive. They will probably also implement plenty of other mitigations such as disabling all unused functions, etc.

BTW, I am responsible for info-sec for my department (at a large UK university) so I take these things fairly seriously. I wouldn't be allowed to deploy a server with an outdated version of PHP.

YMMV. Your server, your data, your choice.

Greg Roach - greg@subaqua.co.uk - @fisharebest@phpc.social - fisharebest.webtrees.net

Please Log in or Create an account to join the conversation.

  • martin1
  • Topic Author
  • Offline
  • New Member
  • New Member
More
11 months 2 weeks ago #13 by martin1
Replied by martin1 on topic PHP version false alarm

I guess you are talking about this message:

"Your web server is using PHP version %s, which is no longer receiving security updates. You should upgrade to a later version as soon as possible."
right.

This is based on the EOL date of your PHP version, as listed in post #9.

It's a warning, not an error. Nothing will stop working. It is only shown to admins on the control panel. Feel free to ignore it.

There is nothing to warn for up-to-date Debians and Ubuntus.

When you talk about "linux distributions managing packages", then I guess you are talking about Remi Collet's php-security-backport project.

No. I meant the usual way Linux distros support software.

BTW, I am responsible for info-sec for my department (at a large UK university) so I take these things fairly seriously. I wouldn't be allowed to deploy a server with an outdated version of PHP.

BTW, I am a certified Linux admin, working for big companies worldwide.

YMMV. Your server, your data, your choice.

Your misinterpretation. Take a look at this page. Wordpress people have covert this issue:
php.watch/articles/extend-lifetime-legacy-php

And states: " only 16% of the reported WordPress sites run on a PHP version supported by the PHP core developers."

And the explanation for that: "Debian LTS, Ubuntu LTS, Rocky Linux, and RHEL are a few Linux-based operating systems that provide PHP in their default repositories. They do not receive bug fixes from upstream, but security fixes are backported as applicable."


 

Please Log in or Create an account to join the conversation.

  • norwegian_sardines
  • Offline
  • Platinum Member
  • Platinum Member
More
11 months 2 weeks ago #14 by norwegian_sardines
Replied by norwegian_sardines on topic PHP version false alarm
I’m so glad you are a certified Linux admin.  I suspect that your company has decided to live on with PHP v7.4, webtrees will work fine as Greg indicated.
 But my php distribution is at 8.1?  And I can select 8.2 if I desire. And I don’t compile my own, but if I had to I would!

Ken

Please Log in or Create an account to join the conversation.

Powered by Kunena Forum