Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:23375
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
	b=RCKqxIW+MfSAFY6fRyIv7Y2qc/PyI4CDf3iEjWI4fSWDzuZhaKEX1ILAcv9KYDlvT0RtwmZYvhv0NtfAC3K+R0kx0ehqa7qBRB11uqlutFsZp/lx/rSJ4I8mpuLHek/cY6rgsEhByyhjS6PjsD6fwtFTCCWXTV4AQbukzxe3BgM=
In-Reply-To: <4468A360.5050609@php.net>
References: <4468848D.5020602@php.net> <9854F2DC-4DD8-46E7-863F-3B4FF2327C49@prohost.org> <4468A360.5050609@php.net>
Mime-Version: 1.0 (Apple Message framework v750)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <5297093F-B826-47BE-9529-46BCE6BE1A89@prohost.org>
Cc: PHP internals <internals@lists.php.net>
Content-Transfer-Encoding: 7bit
Date: Mon, 15 May 2006 12:14:56 -0400
To: Stefan Esser <sesser@php.net>
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] PHP Release Process Sucks
From: ilia@prohost.org (Ilia Alshanetsky)


On 15-May-06, at 11:50 AM, Stefan Esser wrote:

> Hey,
>>
>> The code in the release did not change on bit, the only change was  
>> the
>> inclusion of the missing phar file, this hardly warrants 5.1.5 or  
>> even
>> 5.1.4pl1. This will have no impact of people who have already
>> downloaded and installed PHP, nor will this impact people who have  
>> yet
>> to download PHP.
>>
> It will have an effect on everyone using f.e. gentoo linux or BSD port
> system, because mysteriously the hash of the tarball changed and  
> people
> will get warnings about modified tarballs. It also has the effect  
> that I
> am getting emails from people asking me if PHP.net was backdoored,
> because the MD5 hash changed....
> And if you want to change tarballs and don't change the version number
> (which is considered very bad by many people) then atleast WARN people
> about the modified tarball. A simple message: tarball was missing PEAR
> and was therefore rerolled is not so bad...

I'll add that to the 5.1.4 release message on the front page, that  
was an oversight on my part.

>
>> The patches for security holes are usually in within a week, if you
>> want to fetch them you can do so either in a form of a PHP  
>> snapshot of
>> a specific patch from CVS. To make releases every-time we get  
>> security
>> fault is impractical.
> First the zend_hash_del() bug caused remote code execution in a  
> bunch of
> popular PHP scripts. Secondly most open source projects release  
> security
> bugfix releases. PHP.net on the other hand doesn't do this anymore.
> There are no security only fixes anymore. Instead we release not
> properly tested new versions of PHP that break tons of servers.  
> (fastcgi
> ....)
>

"Tons" is a very quantitate number ;-), while fastcgi is definitely a  
used SAPI, it is no where near  the usage of the Apache sapi or even  
plain cgi. According to a basic Google Search mod_php is about 8  
times more popular then CGI/FastCGI and of the 24,000 found phpinfo()  
for the latter I'd wager no more then 1/2 actually use FastCGI.

> And well... I still see no PHP 4.4.3 on PHP.net... However we still
> offer the PHP 4.4.2 tarball (knowing that it has critical security
> holes). So either we release a security FIX release or we kick the
> tarball and declare PHP4 unsupported from now on.

PHP 4 is still supported, no one is suggesting that we discontinue  
it. Derick can better comment on when he plans on making the release,  
but it will definitely happen.

Ilia