[vox-tech] Risks of upgrading past CentOS 6 supported PHP 5.4?
Rick Moen
rick at linuxmafia.com
Thu Jun 2 18:46:32 PDT 2016
Quoting Dr. Larry Ozeran (lozeran at clinicalinformatics.com):
> Rick, thanks again for your insights.
You are most welcome.
> You are, of course, correct that we would not redesign our software
> without a significant and deep assessment of benefits and costs
> (money, time, resources, etc.). Most of the PHP, MySQL, and related
> code has been developed in house. I probably coded 10-15% myself.
> The intent of my comment was simply to indicate that we do not
> blindly accept that there is no better option than what we are
> doing. If there are strong arguments to support considering making a
> switch, I would not exclude that possibility without reviewing the
> pros and cons simply because we have a large legacy investment. I
> consider your response (below) to fall into the 'cons' (to
> switching) category and will definitely compare your PHP security
> recommendations against what we currently are and are not doing.
I am very glad to be of help -- and certainly was trying to be at pains
to avoid advising anyone to merely redesign, especially without
knowledge of the particulars.
My own disaffection with PHP was markedly increased when I boarded a
cruise ship with my wife from San Francisco to Sydney, and right on the
day of my departure my logcheck reports started indicating a serious
attempt to break security on my server via (what turned out to be)
mod_php -- exactly at a time when I had just boarded an ocean vessel
with only satellite Internet at very high prices.
Somehow with a painfully thin straw of ssh bandwidth and only one hour
of high-latency, low-reliability Internet access each evening, I was
able to kludge together a lockout of the kiddies within a couple of
days and before they were able to compile an exploit kit. When I
reached Sydney, one of the first things I did from my hotel room was rip
out the last bits of public-facing PHP exposure so I'd never have to
worry about that again.
My _own_ view is that PHP is entirely too much like the scenario
Marcus Ranum described in his rather caustic 'What Sun Tsu Would Say'
essay, i.e., as Ranum phrases it, 'If patching hasn't been working, why
are we still doing it?' I stopped needing to apply the PHP patch du
jour by no longer exposing it to public networks.
But whatever works for you is of course great.
More information about the vox-tech
mailing list