Subject: Re: PHPv4 EoL
To: None <>
From: Geert Hendrickx <>
List: pkgsrc-users
Date: 12/06/2007 14:39:56
On Thu, Dec 06, 2007 at 08:32:58PM +0100, Joerg Sonnenberger wrote:
> On Thu, Dec 06, 2007 at 09:42:30AM -0500, Greg Troxel wrote:
> >   the user community would be better served if it were removed than it
> >   stayed, modulo the effort of maintaining it*
> > 
> > * and the effort is pretty low once upstream stops patching, and
> >   especially if we don't add vulnerabilities if it's eol
> So you just leave people with vulnerable installations? Bad idea in my
> opinion.

Leave them with a clearly marked-as-vulnerable installation, that's a very
different thing.

We must give people the time to migrate their home-grown or 3rd party web
applications, which can be very non-trivial in many cases.  Not everyone
can afford to run the latest-and-greatest software at all times.

Marking php4 as "eol" should be sufficient to encourage people to upgrade,
and as mentioned, the maintenance effort for us (pkgsrc) is minimal.

Heck, we only just removed BIND 4 from pkgsrc as well..

By the way, said they will continue to provide critical security
fixes until August 8, 2008.