[PHP7] Request for testing
Nish Aravamudan
nish.aravamudan at canonical.com
Wed Apr 6 00:33:12 UTC 2016
On 04.04.2016 [22:39:15 +0100], Robie Basak wrote:
> On Mon, Apr 04, 2016 at 02:35:44PM -0700, Seth Arnold wrote:
> > I think it is a mistake to add drupal8 to our archives. No one has tended
> > to existing versions:
> >
> > http://people.canonical.com/~ubuntu-security/cve/pkg/drupal6.html
> > http://people.canonical.com/~ubuntu-security/cve/pkg/drupal7.html
> >
> > Anyone installing drupal from our archives is getting something that we
> > know is old and has security issues.
> >
> > Packaging drupal is providing negative value to our users. If
> > someone absolutely must run drupal, they'd be best served to run an
> > upstream tarball. Then it is clear who has the burden of following
> > updates.
> >
> > Unless someone has a serious committment to SRUing every single upstream
> > update for the life of 16.04 LTS I think we'd be better off dropping
> > drupal entirely.
>
> I understand the sentiment here, but I feel that we should be consistent
> about this across the archive. We've already done the same for bitcoin
> and owncloud, though I think that was based on upstream sentiment.
>
> drupal7 -> drupal8 really just maintains the status quo here.
>
> If we want to drop drupal, we should also consider other similar
> packages like wordpress IMHO.
Yes, absolutely. In some sense, the software ecosystem has changed
considerably, as well, I'd say -- containers, more rapid upstream
development, etc. So, at this point, it's having drupal just to say we
have it -- I'm not sure I'd recommend anyone install drupal7 as packaged
by Ubuntu (cf. Seth's CVE list; the fact that Debian has 7.43 in
testing/unstable and Xenial is at 7.41; that upstream 7.43 mentions
"This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security
announcement:".
> Perhaps something to ask ubuntu-devel or the TB to consider.
It's not clear if that was directed at me or Seth, but based upon IRC
comments, it seems like this is something that has been brought up in
the past (Should Ubuntu package web frameworks?) and the discussion
didn't go far. I can try it again, if that would be the preferred route.
I don't know what to say wrt to drupal7 v. drupal8. I have been advised
that it would not be acceptable to simple drop drupal7 from the archive
(as it does not yet support PHP7.0). We could leave it in as
uninstallable until someone takes the time to SRU in the fixes, although
it's not 100% clear to me they would satisfy the normal SRU policy. Or
we could upgrade to drupal8 now, which does support PHP7.0 and be in the
same security boat we are in now.
I don't know what "the" answer is here, but thanks for the feedback
everyone!
-Nish
More information about the ubuntu-server
mailing list