Drop PHP 5.x #62
Comments
|
I would not drop support for PHP 5.4, since the latest Ubuntu LTS version is served with that version. Then, you may not be able to use this library when you want things to be secure now. |
|
To be fair, using PHP 5.4 should be considered a security risk as well. |
|
Well, it's that old, that hackers don't care about this (ancient) version. 😝 |
If Ubuntu LTS is shipping with dead software then that's their problem to fix 😉 As said this is a future goal (with no date as of yet), so no immediate drop of support. If it matters to you, please push relevant providers to use non EOL software before that future becomes present :) |
Well, LTS version aren't provide up2date software, but only security release by definition. |
|
Ironic that they're shipping software that won't receive any security
updates then, isn't it? 😉
…On Thu, 3 Aug 2017 at 09:53, Jens Hausdorf ***@***.***> wrote:
If Ubuntu LTS is shipping with dead software then that's their problem to
fix 😉
Well, LTS version aren't provide up2date software, but only security
release by definition.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#62 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADIvOGluSRCGzt1gtERGCiLDqZpdnevhks5sUYqPgaJpZM4OrxmK>
.
|
|
Once they started shipped it, it was the newest php version. And it is maintained until the mid of 2019. |
|
Unfortunately PHP 5.4 won't be maintained till then (it is not maintained
currently, or even recently). As said previous, having dead (and unsafe)
software on LTS an issue for Ubuntu to work out for themselves. If you're
using LTS with PHP 5.4 you should update PHP to a sane version 😉
(This'll probably work:
https://gist.github.com/aidantwoods/bb26af07588c7fa6c68be237a1caf22c, only
tested on Kali – still Debian though).
If any environment is running PHP 5.4 (or EOL software in general) without
a plan for updates, that's a huge red flag that you have more import issues
to solve than HTTP headers.
…On Thu, 3 Aug 2017 at 10:10, Jens Hausdorf ***@***.***> wrote:
Once they started shipped it, it was the newest php version. And it is
maintained until the mid of 2019.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#62 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADIvODJUUf-rvVilCCiScNS-ibZ86BRJks5sUY52gaJpZM4OrxmK>
.
|
SecureHeaders was originally written in PHP 7.
However, I wanted as many people as possible to be able to use these browser security features easily, and didn't want it to be unusable by someone just because they were stuck with a lazy hosting provider.
So I backported the codebase all the way back to PHP 5.3 (and I took scalar type exceptions back with me! 😉)
PHP 5.6 initial backport: 4565833
PHP 5.4: 2192058
PHP 5.3: cdab04a
A year(-ish) later and two major versions out, the minimum version has increased to PHP 5.4. I think that's where I'm comfortable drawing the line though. It certainly doesn't make sense to continue supporting versions of PHP that the PHP team themselves don't.
As far as official support goes, PHP 5.6 is the only version on 5.x not to be end of life, and it will no longer receive updates unless they are security related. It'll be that way for a while longer, so it might make sense to still support that. We'd even gain the
...operator for type-hinting collections of objects.However, we're still missing proper language enforced type safety for scalars, return type hints, and strict mode to disable "type coercion". For these features, I feel it will be worth dropping 5.6 too.
If you really have to use PHP 5.x,
2.xisn't going anywhere.2.xwill likely enjoy quite a few more updates too. This just forewarning that when3.0finally rolls around, it'll be modern PHP only.Edit: Starting a checklist of sub-tasks/issues in this meta-issue, that'll need to be completed when the transition is underway (don't worry, still not yet).
strict_types=1...operator2.xtoo)The text was updated successfully, but these errors were encountered: