Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:64678 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 19435 invoked from network); 8 Jan 2013 13:17:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 8 Jan 2013 13:17:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error) X-PHP-List-Original-Sender: johannes@schlueters.de X-Host-Fingerprint: 217.114.211.66 config.schlueters.de Received: from [217.114.211.66] ([217.114.211.66:38137] helo=config.schlueters.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 10/B6-16636-27C1CE05 for ; Tue, 08 Jan 2013 08:17:39 -0500 Received: from [192.168.2.20] (ppp-93-104-24-251.dynamic.mnet-online.de [93.104.24.251]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client did not present a certificate) by config.schlueters.de (Postfix) with ESMTPSA id E663A65D69; Tue, 8 Jan 2013 14:17:35 +0100 (CET) To: Pierre Joye Cc: Clint Priest , Kris Craig , PHP internals In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Date: Tue, 08 Jan 2013 14:18:27 +0100 Message-ID: <1357651107.1889.1280.camel@guybrush> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][discussion] 5.3 EOL From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=) On Tue, 2013-01-08 at 12:39 +0100, Pierre Joye wrote: > On Tue, Jan 8, 2013 at 12:25 PM, Clint Priest wrote: > > > Would this 1 or 2 year period begin from release date of 5.3 or as of around now/vote? > > See "When should start the EOL period and when should it be announced?" I don't understand why we have to go through this again, but anyways, if we do this: Separating the two questions is "strange" and can lead to unintended results. They should be combined into one. Example assumption: 50%+1 vote for "One year with security fixes only" but are split between "With the next PHP 5.3 release" and "Right after the end of this vote" Whereas 50%-1 vote for "Two years, one normal fixes and one security fixes only" and "With the PHP 5.5 final release" Then the winner will be "One year with security fixes only" and "With the PHP 5.5 final release" which probably wasn't intended by the majority. Aside from that: I don't think we need "the PHP Security team" to review all things, sometimes individual developers can make the choice, too. And in my opinion this should be more "fluent" where the bar for "criticalness" is set higher and higher, instead of suddenly basically stopping. In the end we have to deal with two things: On the one side we have users, they want a stable platform, they can rely on, without functional changes. Many people I talk to don't care much about small bugs with easy workarounds, but they care for simple risk-free updates for security things (which btw. is a reason why many use distribution packages not php.net's) On the other side are developers, who nowadays have to test 4 branches for each essentially trivial fix. This makes the process to verify a patch more annoying than it should be. Given that most here are volunteers the barrier shouldn't be set too high. By reducing the pressure to merge everything, in my opinion, we serve both - users have less risk updating (yes, with 5.3.18 and 5.3.19 we changed the behavior slightly, users have to always test this) and maintainers are a bit freer in their work. But we've been through this and the both of us won't come to agreement. johannes