15

I have a query regarding PHP updates on my Ubuntu servers.

I've noticed that php versions from here https://launchpad.net/~ondrej/+archive/ubuntu/php seem to get updates a lot faster than the official ubuntu PHP packages get updated.

My primary use case is to run PHP production environments on these Ubuntu servers, and although using the official Ubuntu repos would be the usually the best option, would actually using the 'ondrej ppa' be more secure since they get bug fixes and CVE patches a lot faster considering that my primary use case is a PHP server?

Ideally I'd like to update things like this https://www.php.net/ChangeLog-7.php#7.0.14 soon after they are released by the PHP core team and not wait x months for ubuntu to package it up. The package maintainer of the suggested PPA also seems to be the person who does the official packages for Debian, from what I gather.

What are the practical downsides to using something non-official in production in this use-case? would you not recommend it?

Solution summary

Based on answers from the comments and the selected solution. Canonical apply security patches to the current packaged PHP version. As a result, the official package with Ubuntu is just as secure - but would not contain any extra features the PHP Core team have added- meaning it wouldn't introduce bugs/regression which would be important for many users.

The /~ondrej PPA can be considered trustworthy in this case; with many users relying on the PPA, frequent updates, and the maintainer being one of the core Debian package maintainers.

In my instance, I have opted to use this PPA. as it allows me to utilise features that come with PHP 7.1

Thanks for all your help.

Community
  • 1
Matt
  • 325
  • 2
    "... and not wait x months for ubuntu to package it up" - Wait, do you have sources for Canonical dragging their feet on security patches for that long? My experience with Debian (on which Ubuntu is based) is that important security updates are pretty quick, usually within 48 hours of announcements. – marcelm Jan 09 '17 at 16:06
  • "Wait, do you have sources for Canonical dragging their feet on security patches for that long?" -- I doubt this is true except where Canonical have triaged issues as not security impacting or of low security importance. See the Ubuntu CVE tracker for information about any specific security issue. – Robie Basak Jan 09 '17 at 17:47
  • @marcelm I'm not really sure honestly, from what I gather the latest version you can get on ubuntu is Version 7.0.8 from PHP, which they released on the 23rd June 2016, the latest in 7.0 is Version 7.0.14 from the 8th Dec 2016, the latest package on debian seems to be Version 7.0.14; inline with PHP? https://packages.debian.org/stretch/php7.0 http://packages.ubuntu.com/xenial/php7.0 - But I may just be reading it wrong? – Matt Jan 09 '17 at 18:43
  • 2
    @Matt: Canonical usually patches the currently packaged version of a piece of software instead of packaging and redistributing an entirely new (minor) upgrade of it. This fixes security flaws and avoids the introduction of new bugs or regressions. So, even if the PHP developers only fixed a flaw in v7.0.12 and Canonical distributes v7.0.8 the latter can still include the patch that fixed the flaw and it usually does shortly after the release of the patch (I'm fulling the version numbers out of thin air for the sake of the example here). – David Foerster Jan 10 '17 at 09:57
  • Usually important bugfixes are backported by the distribution to previous versions of software, so the version number might be lower and yet the bugs actually fixed. – Muzer Jan 10 '17 at 10:11
  • @DavidFoerster Ah thanks for explaining, that makes sense. – Matt Jan 10 '17 at 10:44

1 Answers1

14

The package maintainer of the suggested PPA also seems to be the person who does the official packages for Debian, from what I gather.

... is the crucial part for me.

If this is the case all you would need to do is keep track what changes in the crew of the PHP package. When the maintainer quits and someone takes over it might warrant holding back updates until the new maintainer proves him/herself.

What you also should ask yourself: do I need the features the Ubuntu version does not give me yet. If the answer is no don't use that PPA. If the answer is yes you could consider it.

What are the practical downsides to using something non-official in production in this use-case?

You will also pull in bugs quicker. Bugs Ubuntu will not fix for you (since it does not know about it).

Would you not recommend it?

In general: no. In this case: it is probably worth it if you need the extra features.

Rinzwind
  • 299,756
  • I trust it too because it seems to be from a Debian package maintainer. This might not be the level of trust I would hope for, but it is very close. And I trust it more than some third-party PHP frameworks and libraries that I must use. – Liam Feb 27 '19 at 15:55