php72u for CentOS 6 about php72u HOT 7 CLOSED

I know of the IUS policy about not adding any new packages for the older (but still supported) distributions

The reason IUS has a policy to not add new packages after the start of maintenance support 2 phase (formerly know as phase 3) is that it gets increasingly difficult to build software with the older libraries and dependencies that are available. It is not an arbitrary "we don't feel like it", it's based on actual experience of developing and maintaining recent software packages for RHEL.

In case if we don't have a newer PHP version for CentOS 6 its users are going to have high security issues risks during a whole year, not getting any PHP updates fixing the discovered vulnerabilities.

This is a misleading statement. EL6 users still get security updates for stock php packages for the lifetime of EL6. An EL6 user has a simple choice: switch back to stock php or upgrade to EL7 (which has been available for four and a half years now) to get access to more IUS packages. There is nothing unique about this situation. It is a user's responsibility to use maintained packages. IUS isn't putting anyone at risk.

Now that I've addressed those points, let's get down to the nuts and bolts of what it would take to make this happen.

argon2 build requirement

When we first built php72u, argon2 only existed in Fedora. We had to request the Fedora maintainer to built it for epel7. Another request will need to be made to build it for epel6 as well. This may be a simple request, or there may be obstacles to work out. It also depends on the maintainer being willing to do this work.

libsodium build requirement

When we first built php72u, libsodium was available in epel6 and epel7, but was too old. EPEL Updates Policy prevented directly updating these packages due to the library soname bump. We had to coordinate a complex update that involved adding a compatibility libsodium13 package (to provide libsodium.so.13) and an update for libsodium to a newer version. EL6's libsodium is even older, and would require a similar update plan: a new libsodium4 package to provide the existing libsodium.so.4, and a rebase of the existing libsodium package to a more recent version.

spec file compatibility

The php72u spec file will need some work. I don't know offhand everything that will be needed, but at the very least it will need to have sysvinit compatibility added. You can diff it with the php71u spec file (which has sysvinit compatibility already) to work on a pull request.

None of the above items are impossible, but I just don't have the time to do it myself. If you can take care of those blockers, that opens up the possibility of IUS building php72u for EL6. Frankly I don't think it's worth it, but I'm not going to arbitrarily deny it if you put in the work.

from php72u.

I thank you for your detailed response.

This is a misleading statement. EL6 users still get security updates for stock php packages for the lifetime of EL6. An EL6 user has a simple choice: switch back to stock php or upgrade to EL7 (which has been available for four and a half years now) to get access to more IUS packages.

Stock EL6 PHP 5.3 is really outdated, the vast majority of current PHP frameworks and libraries don't support it, so for most of the cases the simple choice is just one - upgrade the system to EL7, which is not always straightforward and requires planning and finances, which are hard to get from the management without a pressing issue, while EL6 still has 2 years of life in it, and EL8 is not very far away, so people can just entirely skip investing into EL7.

argon2 build requirement

libsodium build requirement

spec file compatibility

None of the above items are impossible, but I just don't have the time to do it myself. If you can take care of those blockers, that opens up the possibility of IUS building php72u for EL6. Frankly I don't think it's worth it, but I'm not going to arbitrarily deny it if you put in the work.

Now, at least, I understand that this is not a simple task, or mere decision. While I could try to ask for argon2 for epel6 in their Bugzilla, or even try to make the spec file work for EL6, the libsodium issue is, your word, complex.

Again, as you said, maybe it's not worth it. If there are no other people who can/want to help, I think we can close this issue, given there is also another lesser known repository which supports newer PHP versions for EL6.

P.S.

In iusrepo/wishlist#222 was mentioned (thanks, @vasillalov) the existence of REMI, which is another option, albeit a little bit more invasive and less elegant than IUS, I think.

from php72u.

Stock EL6 PHP 5.3 is really outdated

EL6 itself is really outdated. Just because it's not completely EOL yet doesn't mean it's a good choice. EL6 is in Maintenance Support 2 Phase, meaning Red Hat is only backporting critical fixes, at their discretion. Many CVEs have been getting marked as "will not fix" on EL6.

upgrade the system to EL7, which is not always straightforward and requires planning

It's past time to figure out your EL7 migration plan.

EL8 is not very far away, so people can just entirely skip investing into EL7.

This isn't as solid a plan as you think. EL8 doesn't have a public launch date. It could be in a month, or it could be in a year. And even when it does launch, there will be kinks to work out, especially with a major change like Application Streams (a.k.a. Modularity). EPEL will also not exist immediately, so many popular add-on packages will take time to become available. Many enterprise shops skip the .0 and .1 releases entirely and let things bake a little longer. It makes much more sense to get on EL7 now, then figure out an EL8 migration in 2-4 more years.

REMI

If Remi's repo works for you, by all means use it. That repo doesn't have rules like IUS limiting the scope, so when a dependency is needed he just adds it to his own repo, often obsoleting stock packages.

from php72u.

I would like to join in this request. There are many enterprise grade platforms built on PHP that now have an upgrade path to PHP 7.2. Magento is one of them but there are many others. Most vendors are now releasing patches for their platforms that enable them to run on PHP 7.2. Enterprise platforms move slower due to significant investments in R&D and QA. In addition, there are often contractual obligations that often cause further delays that basically create the necessity for supporting CentOS 6.

Remi already released 7.2 packages for RHEL6/CentOS6, however our agency relies heavily on IUS for packaging.

from php72u.

@carlwgeorge Thanks for taking the time to respond and for providing a run down of the technical dependencies needed to build packages on older OS releases. We understand it is a major undertaking.

Having looked at some of the details from your previous comments, I wonder if Remi packages are built differently...

from php72u.

EL8 doesn't have a public launch date. It could be in a month, or it could be in a year.

It's already in beta, even if it takes a year (I doubt) EL6 users still would have another year for upgrading.

It makes much more sense to get on EL7 now, then figure out an EL8 migration in 2-4 more years.

But you may be right about this, of course :)

I would have closed this issue now, but seeing @vasillalov is interested in this too, I'll let you guys decide when/whether to close it.

Thank you, Carl, for your time!

from php72u.

Both EL6 and php72u are EOL now.

from php72u.