[TYPO3-core] PHP version requirement

Felix Kopp felix-source at phorax.com
Mon Mar 4 12:11:24 CET 2013

Thank you for the insight.
This points me to:

— Make 6.0 based on "cutting edge" php (5.3.7+)
— Use 4.5 LTS version of TYPO3 for debian stable

We have enough products and versions to support most systems out there.

Also pragmatically I guess there won't be any more time spend on the 
core + backward compatibility of 6.0.


On 04.03.13 11:56, Ernesto Baschny [cron IT] wrote:
> Hi,
> just to clarify some aspects before the "Debian-bashing" goes on:
> Jigal van Hemert schrieb am 03.03.2013 19:52:
>> (...)
>> A pretty large and well known hosting company offers a choice between
>> various PHP versions to their customers (IIRC the customer can set the
>> PHP version for each domain). If they can do that, the system
>> administrators of large companies should also be able to do that.
>> It seems that some translate "enterprise" to "keep using outdated
>> software for decades".
>> And really, PHP 5.3.x is not "cutting edge". PHP 5.5 is in alpha state,
>> 5.4 was released over a year ago, 5.3.7 was released on August 18, 2011.
> Debian Squeeze was released February 2011 and thus included 5.3.3, which
> was the "cutting edge" stable PHP at that time. And Debian supports this
> version until now, which is pretty amazing and is very welcome by most
> enterprise application users which need to rely on such a stability for
> a couple of years.
>> If you don't install bugfix releases you end up with insecure servers:
> Not with Debian, because security fixes *are* backported to the released
> version. Thus providing stability (no change in the API, no new
> features), but still security:
>> Security Enhancements and Fixes in PHP 5.3.9:
>> (...)
>> Security Fixes in PHP 5.3.10:
>> (...)
>> Security Enhancements for both PHP 5.3.11 and PHP 5.4.1:
>> (...)
>> And the list goes on...
> All these *and much more* have been solved in Debian Squeeze already.
> There have been 10 updated PHP 5.3.3 Debian packages since. The API and
> it's feature set is since 2011 stable and can be relied on and there are
> no known security issues.
> And most amazing: This Debian support would work even if PHP declared
> PHP 5.3 "obsolete" before Debian Stable was "end of live".
> I can without blinking (even automate) a "aptitude upgrade" on all
> production servers without worrying that it might break some of my
> applications which already run. It's the same stability I have with 4.5
> LTS by the way.
> So this policy is not bad per se.
>> Again, this "problem" is blown way out of proportion. It only happens
>> with extensions which still don't use the autoloader (which is available
>> for a long time) on installations with an old and insecure version of
>> PHP. There is no hard check for PHP 5.3.7; if you use a PHP version with
>> a lower version number which includes the patch you won't have a problem.
>> I think that some people try to make a mountain out of a molehill.
> Might be, but I guess the point of Joey, Stucki and others is still
> valid, and I can endorse that:
> Debian Squeeze is still stable and very much liked in the enterprise and
> hosting area, and thus TYPO3 should be really considered.
> BTW: RedHat Enterprise Edition 6 (current latest RHEL in the market) was
> also released early 2011 and also *still* includes PHP 5.3.3
> (5.3.3-22.el6). Both RHEL and Debian will most probably release a next
> release this year (and will include PHP 5.4 then).
> About TYPO3 6.x: I know the effort done with the "hotfix" in order to
> circumvent the auto-loading issue of PHP 5.3.3, because I was also
> involved in reviewing it (http://forge.typo3.org/issues/40653). If this
> is indeed the only issue that might hinder 5.3.3 users to use 6.0
> (considering extensions adopt auto-loading), I guess we're on track.
> There aren't any other known issues for this combination yet, right?
> Cheers,
> Ernesto

More information about the TYPO3-team-core mailing list