Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
PHP

PHP 8.0 End of Life Is Today, November 26, 2023 (sysadminafterdark.com) 40

Slashdot reader sysadminafterdark writes: Released on November 26, 2020, PHP 8 brought many optimizations and powerful features to the language.Fast forward to today, and PHP 8 is getting the boot in favor of 8.1, 8.2, and 8.3 with 8.4 in development. This leaves some websites at risk of breaking and potential security issues. Hearing of this news, I upgraded my own blog and wrote an article on how to add the Remi repository and update. I run Enterprise Linux (The best distro out there) so if you are standing up new boxes, just keep in mind the PHP in the repo is deprecated.
This discussion has been archived. No new comments can be posted.

PHP 8.0 End of Life Is Today, November 26, 2023

Comments Filter:
  • by 93 Escort Wagon ( 326346 ) on Sunday November 26, 2023 @03:46PM (#64033043)

    "... so if you are standing up new boxes, just keep in mind the PHP in the repo is deprecated."

    Most enterprise Linux distributions backport any security fixes to the version of PHP they settled on at launch*. So no, you probably don't need to worry about the fact that your Linux distribution still installs PHP 8.0.

    That's pretty much the whole point of an enterprise Linux - it gives companies a stable target platform they can count on being maintained for several years.

    * This is true of any package included in the distro, not just PHP.

    • by Anonymous Coward

      Indeed. Replacing your system-provided and patched/backported packages, with those from some random project isn't a move up in terms of security. And then there's all the fun random compatibility issues and breakages it'll inevitably bring. This article is just terrible advice.

      • by reanjr ( 588767 ) on Sunday November 26, 2023 @06:40PM (#64033423) Homepage

        Remi's repo is essentially the "official" source of PHP for RHEL-based distros. Pretty much no one uses RH's, and Remi is the one everyone uses. I'm pretty sure Remi works for RH, but he supports modern PHP in his free time.

        • by ls671 ( 1122017 )

          LOL! java 1.8. released in 2014 still receives updates. Some people like it the hard way I guess, namely with Python and PHP /s

          End of Public Updates (Free)
          April 2019 for Oracle
          July 2026 for Amazon Corretto[11]
          November 2026 for Eclipse Temurin[12]
          November 2026 for Red Hat[7]
          December 2030 for Azul[9]

          End of Extended Support (Paid)
          December 2030 for Oracle

        • I have my doubts many people other than hobbyists actually do this.

          If I wanted to support a non-default version of PHP, Python, etc. on RHEL 8 or above, I'd do it the official way - using Application Streams [redhat.com].

          Just speaking for myself, obviously, but - the only time I've added an external / unofficial repo is when I've needed software that RHEL doesn't offer *at all*. Shibboleth, for instance.

          • The number of hobbyists using RHEL-based distros is probably pretty small. Hobbyists tend towards Deb-based systems or more exotic distros like Arch.

            You could be correct that RH customers rarely use third party repos, but most boxes running RHEL-based distros (like CentOS of yesteryear) are probably not RH customers.

        • by Anonymous Coward

          Pretty much no one uses RH's, and Remi is the one everyone uses.

          That is factually and demonstrably incorrect.

          Please stop making general statements about things where you only have anecdotal knowledge.

    • by codebase7 ( 9682010 ) on Sunday November 26, 2023 @05:18PM (#64033249)

      "... so if you are standing up new boxes, just keep in mind the PHP in the repo is deprecated."

      The main point of that statement was scare tactics. Developers hate seeing older versions of their code in use. Much less supporting it. Even if the "support" only amounts to repeating the phrase "complain on your distro's bug tracker." So regardless of whether or not you run an Enterprise Linux distro, Developers try to push their bleeding edge on everyone using any means necessary.

      Side Note:
      "Deprecated" should be a dirty word in software development. It means the developers failed to consider future developments / maintainability when writing the code originally, and are absolutely refusing to provide backwards compatibility to end-users who have become dependent on said code. To put it another way, Declaring something "deprecated" is a public admission that you've failed as a software developer, and should be sufficient cause for self-reflection and improvement. Not something to be used on a regular basis as an excuse for laziness post release.

      • by Saffaya ( 702234 )

        Your post explains well why I fking hate it.
        Famous abusers:
        _Python
        _Chrome
        _Windows
        etc...

      • Everybody has failed as a software developer. Software maintenance is the art of managing inevitable human imperfection. This includes giving adequate notice that the team will remove footguns, or features that had been making the language and/or its standard library worse by their very presence.

    • by eriks ( 31863 )

      Totally. Even PHP 7.4 will continue to be semi-supported (at least security patches) on most "server" distros at least through 2024, even though the PHP devs stopped officially supporting it already. Upgrading for the sake of upgrading is never a good practice, though it's never good to be left high and dry either...

      • by ls671 ( 1122017 ) on Sunday November 26, 2023 @11:25PM (#64033893) Homepage

        I host some vm for those, a reverse proxy with mod_security properly (custom) configured for those apps is a must to mitigate risk as much as possible! I even have some vms running PHP 5.6.40-58+0~20220614.65+debian9~1.gbpc40f11 (cli) with developers having vanished since a long time and customers not wanting to pay to upgrade it.

        PHP is a pain to upgrade from version to version while I still run some apps developed for java 1.0 with recent versions of java. Cake PHP framework used to have a class named "String" then, php implemented a class named "String" in later versions screwing Cake up. Namespace anybody?

        mydomain.myproject.String vs java.lang.String

        Is name space finally implemented in php? Seriously asking...

        • by eriks ( 31863 )

          Migrating PHP versions isn't *that* bad... If you're lucky enough to have not used stuff that gets changed... I have code I've carried all the way from 3 to 8. There were a lot of gotchas: basic behaviors that changed. Insane things like changing parameter order for built-ins and syntax changes for working with arrays(!) Most of the changes have been "good" in terms of making the language less bad, but no fun if you have to maintain (really) old code.

          PHP has had "namespaces" since 5.3, though I've never

          • by ls671 ( 1122017 )

            Thanks!

          • The amount of work you had to put in is probably okay for a hobby project or an open source library. However, for real business code, this is unacceptable.

            Really, the developers of PHP are making it difficult to make this language attractive for long-term stable development. Nobody at 'PHP headquarters' is going to give any guarantuee that even a minor update from 8.0 to 8.1 won't break things. They put the burden of checking & modifying your code, with every version update, on you, the developer. On al

            • by eriks ( 31863 )

              I agree that PHP (still) sucks, but the alternative is to completely rewrite legacy PHP applications in another language, which isn't practical, especially for time-tested, reasonably well-written code. It's (much) easier to keep on top of breaking changes in the language than it is to start from scratch, especially when dealing with only a few thousand lines of (more or less) modular code, since starting from scratch is going to create a lot more bugs than renaming/rearranging a few function calls. Most o

              • Though to be fair, when I look at the landscape of "popular" languages today, I'm not sure I'd want to use any of them. I'd probably want to use Perl 5.

                I'm right with you on that. The problem is, though, it's getting rather hard to find web developers who are both familiar with modern web practice/design and also have even a modicum of perl knowledge.

                I'm running into this issue right now, actually. So now I'm looking at people who know something else (typically PHP, since the expression syntax is rather similar) and seem savvy enough where I think they can develop a passable knowledge of perl - even if it's just to rewrite stuff into their preferred langua

        • I host some vm for those, a reverse proxy with mod_security properly (custom) configured for those apps is a must to mitigate risk as much as possible! I even have some vms running PHP 5.6.40-58+0~20220614.65+debian9~1.gbpc40f11 (cli) with developers having vanished since a long time and customers not wanting to pay to upgrade it.

          PHP is a pain to upgrade from version to version while I still run some apps developed for java 1.0 with recent versions of java. Cake PHP framework used to have a class named "String" then, php implemented a class named "String" in later versions screwing Cake up. Namespace anybody?

          mydomain.myproject.String vs java.lang.String

          Is name space finally implemented in php? Seriously asking...

          Namespaces were introduced in PHP 5.3.0 about 12 years ago. PHP does not force your directory structure to match your namespace hierarchy, and there are no builtin autoloaders.

      • by micheas ( 231635 )

        Totally. Even PHP 7.4 will continue to be semi-supported (at least security patches) on most "server" distros at least through 2024, even though the PHP devs stopped officially supporting it already. Upgrading for the sake of upgrading is never a good practice, though it's never good to be left high and dry either...

        I'll argue the other side. With every upgrade that fixes bugs, it is just a matter of time before those bugs are turned into CVEs that require upgrading.

        As such, developers need to design their code to work with shifting versions of dependencies, and CI/CD systems need to be designed so that they can adequately test code so that they can reliably run updates in an automated manner. If you fail to do that, your software will eventually be viewed as unusable by internet connected computers.

  • by Seven Spirals ( 4924941 ) on Sunday November 26, 2023 @03:54PM (#64033053)
    Too bad it's not true. Anyway back to my C compiler...
    • Which one?

      • Mostly ICC, but quite a bit of GCC and LLVM. I also have to cope with DEC C, Sun Studio, IBM XLC, HP C, and several other older non-C99 variants. When given a choice, I target C99 and don't pretend all other C standards other than K&R / ANSI even exist.
    • by Tarlus ( 1000874 )

      Do you write server side web applications in C?

      • Re: (Score:3, Insightful)

        I don't touch the web, thank $diety. I hate web programming. Also, I'm not a big PHP hater, honestly, I think it's the "coding for the web" part that's the worst. I'd rather see PHP succeed than ASPx or ColdFusion, etc...
        • by Tarlus ( 1000874 )

          Ah, just curious. I worked with a fellow who wrote all his server side stuff in C++ as Apache modules. Very strange way of doing it. His apps were fast, and it was on a bare metal server, but I shudder to think of how vulnerable that whole setup was.

  • I know the argument that distribs backport but there should be longer support, especially since there are constant syntax changes in minor versions that might break things. This is valid for python, php and a bunch of other languages.

    Sure, in shiny startups willing to break things using the shiniest objects it's not an issue but in practice there may be other constraints

    and "just let the distrib maintainers handle it through backports" is not imho the best advice

    • Startups don't have to support anything for greater than 2 months, much less in production, because they all die. It's pure software developer job security by breakage and churn without considering stability or compatibility.
  • A line of praise immediately followed by the fact that there's an obvious flaw in the repo pushing outdated software.

    This just goes to show distribution choice is an emotional attachment rather than a meaningful data backed decision.

  • It's all Hack, while looking like PHP, it isn't that insecure POS that sysadmins have laughed at since 2003.
  • And here I'm still on 7.4 since my server doesn't support later versions... Stop the madness!!!!!!!!!

  • by johnwbyrd ( 251699 ) on Monday November 27, 2023 @12:25PM (#64035511) Homepage

    For any point release. The platforms I work on require ten or more years of stable code bases. This absolutely rules out PHP as a development language. For a personal blog, sure, but I wouldn't trust PHP to any commercial or industrial application.

How many hardware guys does it take to change a light bulb? "Well the diagnostics say it's fine buddy, so it's a software problem."

Working...