What does Ubuntu do when LTS is supported for 12 years, but PHP is not?

veer66@lemmy.one to Linux@lemmy.ml – 88 points –

Will they keep patching old version of PHP?

27

They're waiting for Debian developers backporting the patches.

In many cases, they will cherrypick security fixes and other major bugfixes from the bleeding edge version, and put those fixes in the old versions of the software.

This is the same thing the PHP folks would do while the old PHP is supported. Once the old PHP is out of support but Ubuntu LTS is still in support, then the Ubuntu folks have to put in the extra work to do the cherrypicking.

Only if there is such a huge vulnerability that they will have no choice.

That’s just my guess.

Promise of support is a tricky one.

I love how people are up-voting your completely wrong "just a guess".

Take up non-feature security-only maintenance.

This isn't hard. SCO and Sun did exactly this.

There are community backports (like Sury's Debian builds) for PHP, including a branch of PHP 5.6 originally released in 2014. Most other notable languages and major packages have something likewise as well, right down to major packages like Drupal 6. It's not always easy, but it's doable and the work is usually either already done or can be paid for.

Weird things that are truly too difficult to support are also often excluded. Eg Spectre/Meltdown fixes were non-trivial and had to be backported to a fairly wide range of things but that only went so far back. Some old systems just never got those fixes and instead have to be ran with a workaround ("don't run untrusted code"). I don't know how things are with the new offering but large complicated packages with lots of moving parts like OpenStack used to be excluded from the full extended support cycle before as well.

I would think "long term support" can also sometimes mean moving that support to a newer version, especially where it doesn't break compatibility.

That would be the logical conclusion, but I believe Debian uses the old version for years after it's unsupported and might backport security fixes depending on how severe they are. Either way, I personally wouldn't trust Debian or Ubuntu to properly fix security issues with a program (or in this case, programming language) that they do not actively develop or maintain themselves.

I'm sure it'll be fine, just keep running the old version 🙃

It will be fine. That's the entire point of an lts version. Ubuntu back ports security fixes to the old versions.

LOL they'll do nothing as usual. Probably they will apply security patches if someone submit them, but I'm unsure.

Uh, no.

https://ubuntu.com/about/release-cycle

For each Ubuntu LTS release, Canonical maintains the Base Packages and provides security updates, including kernel livepatching, for a period of ten years.

All the blind Ubuntu hate in here...

It does not even provide security fixes to unpayed users for two years. Except for few "base" packages. BTW is php a "base" package in ubuntu?

Ubuntu Pro is free for up to 5 machines per account.

Any reason to register an account instead of installing Debian?

Installing Debian is not an alternative to the 10-12 year Ubuntu LTS support because Debian doesn't offer that kind of support. Also as the sibling noted, Ubuntu Pro isn't needed to get the same support you're getting from Debian. Ubuntu Pro provides additional support that you don't get from Debian throughout the support lifespan.

BTW, not offering 10-12 years of support is totally reasonable for a community distribution. I don't expect volunteers to be backporting fixes for packages built 12 years ago.

10-12 years of support attract only those who think they will never need to update. I don't think so and I update to each released version, each ~2 years. I know that skipping a release is not supported in any distribution. And update cost grows exponentially over time. So thank you, but I don't need a support for longer than 3 or 4 years. But for that period I want to have security updates for all software I installed, not only "base". And I want to get them from public repositories hosted on independent mirrors to be sure that I wont be banned by vendor for some reason.

As for additional support, I don't need it. I can solve my problems myself and do if faster than Canonical would do. And not only my problems. I also contribute to open source software and I want my contributions to be available to anyone, not only those who pay for support to some company that I have no relationship with.

There's no need to register an account with Ubuntu at all. You have no idea what you're talking about. You don't need a pro license to get updates for an LTS for 5 years of support. The "base packages" are both the "main" and "restricted" repositories - it isn't just a few "core libraries" as you seem to think.

Debian is an excellent distro but I can't even find out what Debian considers to be covered by their LTS. Their page about it is very vague. I would guess that it's the same though - "main" repository is what they cover. Similar to Ubuntu.

I thought they mean support beyond 5 years. You're right of course.

There’s no need to register an account with Ubuntu at all. You have no idea what you’re talking about. You don’t need a pro license to get updates for an LTS for 5 years of support. The “base packages” are both the “main” and “restricted” repositories - it isn’t just a few “core libraries” as you seem to think.

Really? So why does apt tell me that I need to get updates for more packages than it has downloaded each time I run apt update? I have latest LTS (22.04) on my laptop. Maybe you have no idea what you are talking about? I could get any updates until recent (year or two? I use that laptop only occasionally, so I don't remember the exact time), but now it is clear that Canonical goes the same way as RedHat/IBM.

I would guess that it’s the same though - “main” repository is what they cover. Similar to Ubuntu.

You are wrong because Debian's main is not similar to Ubuntu. Debian has no universe repo, all FOSS packages go to main.

So why does apt tell me that I need to get updates for more packages than it has downloaded each time I run apt update? I have latest LTS (22.04) on my laptop.

"I'm going to provide zero information about a problem I'm having, say that I have no idea why it's happening, and then claim it supports my conclusion - check mate!"

I would provide an info about a problem if I asked for help. But I don't need any help, I know the solution.

@atzanteol @bizdelnick
From what I read, the +5 yrs with a Pro account is on top of the LTS 5 yrs support.

Say Xenial ended last April 2021. With Pro that extends it another 5yrs. With it support ends some time in 2026?

But that is not +5 from when you got the Pro account. It started ticking the moment Xenial EOL'd. So if I signed up Pro now, my Xenial updates will still end on 2026. Should work for later LTS versions, +5 after base 5 on the same Pro account free up to 5 machines.

Yes.

$ apt policy php
php:
  Installed: (none)
  Candidate: 2:8.1+92ubuntu1
  Version table:
     2:8.1+92ubuntu1 500
        500 http://mirrors.us.kernel.org/ubuntu jammy/main amd64 Packages
        500 http://mirrors.us.kernel.org/ubuntu jammy/main i386 Packages
        500 https://mirrors.mit.edu/ubuntu jammy/main amd64 Packages
        500 https://mirrors.mit.edu/ubuntu jammy/main i386 Packages
        500 http://apt.pop-os.org/ubuntu jammy/main amd64 Packages
        500 http://apt.pop-os.org/ubuntu jammy/main i386 Packages
1 more...
1 more...
1 more...