[TYPO3-core] PHP version requirement

Ernesto Baschny [cron IT] ernst at cron-it.de
Mon Mar 4 11:56:15 CET 2013


Hi,

just to clarify some aspects before the "Debian-bashing" goes on:

Jigal van Hemert schrieb am 03.03.2013 19:52:

> (...)
> A pretty large and well known hosting company offers a choice between
> various PHP versions to their customers (IIRC the customer can set the
> PHP version for each domain). If they can do that, the system
> administrators of large companies should also be able to do that.
> It seems that some translate "enterprise" to "keep using outdated
> software for decades".
> 
> And really, PHP 5.3.x is not "cutting edge". PHP 5.5 is in alpha state,
> 5.4 was released over a year ago, 5.3.7 was released on August 18, 2011.

Debian Squeeze was released February 2011 and thus included 5.3.3, which
was the "cutting edge" stable PHP at that time. And Debian supports this
version until now, which is pretty amazing and is very welcome by most
enterprise application users which need to rely on such a stability for
a couple of years.

> If you don't install bugfix releases you end up with insecure servers:

Not with Debian, because security fixes *are* backported to the released
version. Thus providing stability (no change in the API, no new
features), but still security:

> Security Enhancements and Fixes in PHP 5.3.9:
> (...)
> Security Fixes in PHP 5.3.10:
> (...)
> Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:
> (...)
> And the list goes on...

All these *and much more* have been solved in Debian Squeeze already.
There have been 10 updated PHP 5.3.3 Debian packages since. The API and
it's feature set is since 2011 stable and can be relied on and there are
no known security issues.

And most amazing: This Debian support would work even if PHP declared
PHP 5.3 "obsolete" before Debian Stable was "end of live".

I can without blinking (even automate) a "aptitude upgrade" on all
production servers without worrying that it might break some of my
applications which already run. It's the same stability I have with 4.5
LTS by the way.

So this policy is not bad per se.

> Again, this "problem" is blown way out of proportion. It only happens
> with extensions which still don't use the autoloader (which is available
> for a long time) on installations with an old and insecure version of
> PHP. There is no hard check for PHP 5.3.7; if you use a PHP version with
> a lower version number which includes the patch you won't have a problem.
> I think that some people try to make a mountain out of a molehill.

Might be, but I guess the point of Joey, Stucki and others is still
valid, and I can endorse that:

Debian Squeeze is still stable and very much liked in the enterprise and
hosting area, and thus TYPO3 should be really considered.

BTW: RedHat Enterprise Edition 6 (current latest RHEL in the market) was
also released early 2011 and also *still* includes PHP 5.3.3
(5.3.3-22.el6). Both RHEL and Debian will most probably release a next
release this year (and will include PHP 5.4 then).

About TYPO3 6.x: I know the effort done with the "hotfix" in order to
circumvent the auto-loading issue of PHP 5.3.3, because I was also
involved in reviewing it (http://forge.typo3.org/issues/40653). If this
is indeed the only issue that might hinder 5.3.3 users to use 6.0
(considering extensions adopt auto-loading), I guess we're on track.
There aren't any other known issues for this combination yet, right?

Cheers,
Ernesto



More information about the TYPO3-team-core mailing list