Re: [Phplib-users] phplib 6.1, php3 and php4
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] phplib 6.1, php3 and php4
|
From: Lindsay H. <fm...@fm...> - 2002-01-23 20:27:42
|
Thus spake Michael Chaney on Tue, Jan 22, 2002 at 10:12:03PM CST > On Tue, Jan 22, 2002 at 02:52:19PM -0600, Lindsay Haisley wrote: > > Actually, I installed phplib from a tar package from the author's website. > > When I installed it, v 6.1 was the newest version. All my customer's > > websites are built against phplib 6.1. > > I'm still not sure why this is the case, unless you built them all years > ago and haven't had any new business since then. My customers are > informed enough to know that software changes, and that periodically > they'll get updated. Yes, they were built years ago, and I've had plenty of new business, but becuase PHP and phplib are installed at the system level, new sites are built against the same functionality. > As many of us have > said, you are running old software which has known security problems, and > worse yet you're thinking of upgrading to another broken version of PHP. I appreciate notice that there's some kind of security problem with phplib 6.1, but until I get something specific w. regard to exactly what this is, I really can't consider it more than a rumor. The software isn't broken. It works fine. Everyone is happy. I'd like to upgrade to take advantage of new features in php4, and I'd really rather hold off on upgrading phplib until v8 comes out which, I understand, will take advantage of native php4 session management. > Package management is great. But PHP changes too quickly, and the > upgrades are too important to miss, for package management to be an > option. Breath deep, download the sources, and do a build. And get > used to it. The bottom line is, 'if it works, don't fix it'. Unless there are known, documented exploits with a given piece, or known bugs that make it really problematic, the only difference between old and new is more features. If I build sites utilizing a given php/phplib API and they work fine, in the absense of security problems which would permit mischief from random sources elsewhere on the Internet, there's absolutely no reason to upgrade, so I beg to differ with you on this. I had hoped to get more technical specifics from people on this list, but all I've received is grandfatherly advice, which really hasn't told me anything I don't already know. I have a replacement server in the planning stage, and it'll be set up with php4 (a recent version) and a more recent version of phplib, but unless and until I get more information on exactly what breaks in phplib 6.1 between php3 and php4 I don't plan to migrate stuff on the existing server. > The reason that we're not answering that is because your version of > phplib is so incredibly old that we have no idea what all will break. Incredibly old? The file dates indicate that it was installed in Nov of 1998? That's a little over 3 years ago, really not long enough, I would hope, for everyone to forget about it, but long enough that there should be some solid evidence w. regard to problems in a php version upgrade. Granted, with the growth of php and phplib, I expect that _most_ people on this list weren't using phplib in Nov. of 1998. Oh well... > I cannot fathom that someone would update software so rarely. If it works, don't fix it. migration from phplib 6.1 to v7.x involves code rewrites for subclasses so that they can be properly serialized. Other than a greatly expanded feature set, I have seen no reason to upgrade and have to do all this work. > I suppose that you're still running an > exploitable 2.2 kernel, too. Actually, yes. Exploits in the 2.2 kernels involve the ability to install rogue modules from a shell. There are no shell accounts on the server, other than administrative accounts. I know of no exploits implicating the Linux 2.2 kernel involving attack from external sources, except possibly from potentiail DoS attacks. Frankly, I don't believe there are any. The system is secure and has never been compromised. > I would highly recommend that you get in the habit of upgrading PHP and > Apache when upgrades are available, and update phplib when upgrades are > available. You do your customers a great disservice by not doing this. A disservice? How? No one complains? No accounts have been compromised? I really have a very high retention rate for customers, and almost all my new business comes from referrals from satisficed existing customers. Michael, thank you for your recommendations. I will take your obvious wisdom and many years of experience as a system administrator into account when I consider your advice in planning future upgrades here. -- Lindsay Haisley | "Everything works | PGP public key FMP Computer Services | if you let it" | available at 512-259-1190 | (The Roadie) | <http://www.fmp.com/pubkeys> http://www.fmp.com | | |
