[vox-tech] Risks of upgrading past CentOS 6 supported PHP 5.4?

Dr. Larry Ozeran lozeran at clinicalinformatics.com
Thu Jun 2 22:33:40 PDT 2016


Thanks Rick.

This is why I have such great respect for the members of this list. You 
have such valuable experiences that you are willing to share. I regret 
that I have had the experience of server issues occurring at bad times 
(right after talking about our product at a trade event), but thus far 
none have been PHP or MySQL related, so I very much appreciate the 
insights of others.

Thanks again,

Dr. Larry Ozeran
President, Clinical Informatics, Inc.
(530) 671-9244

On 6/2/2016 18:46, Rick Moen wrote:
> Quoting Dr. Larry Ozeran (lozeran at clinicalinformatics.com):
>
>> Rick, thanks again for your insights.
> You are most welcome.
>   
>> You are, of course, correct that we would not redesign our software
>> without a significant and deep assessment of benefits and costs
>> (money, time, resources, etc.). Most of the PHP, MySQL, and related
>> code has been developed in house. I probably coded 10-15% myself.
>> The intent of my comment was simply to indicate that we do not
>> blindly accept that there is no better option than what we are
>> doing. If there are strong arguments to support considering making a
>> switch, I would not exclude that possibility without reviewing the
>> pros and cons simply because we have a large legacy investment. I
>> consider your response (below) to fall into the 'cons' (to
>> switching) category and will definitely compare your PHP security
>> recommendations against what we currently are and are not doing.
> I am very glad to be of help -- and certainly was trying to be at pains
> to avoid advising anyone to merely redesign, especially without
> knowledge of the particulars.
>
> My own disaffection with PHP was markedly increased when I boarded a
> cruise ship with my wife from San Francisco to Sydney, and right on the
> day of my departure my logcheck reports started indicating a serious
> attempt to break security on my server via (what turned out to be)
> mod_php -- exactly at a time when I had just boarded an ocean vessel
> with only satellite Internet at very high prices.
>
> Somehow with a painfully thin straw of ssh bandwidth and only one hour
> of high-latency, low-reliability Internet access each evening, I was
> able to kludge together a lockout of the kiddies within a couple of
> days and before they were able to compile an exploit kit.  When I
> reached Sydney, one of the first things I did from my hotel room was rip
> out the last bits of public-facing PHP exposure so I'd never have to
> worry about that again.
>
> My _own_ view is that PHP is entirely too much like the scenario
> Marcus Ranum described in his rather caustic 'What Sun Tsu Would Say'
> essay, i.e., as Ranum phrases it, 'If patching hasn't been working, why
> are we still doing it?'  I stopped needing to apply the PHP patch du
> jour by no longer exposing it to public networks.
>
> But whatever works for you is of course great.
>
> _______________________________________________
> vox-tech mailing list
> vox-tech at lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech



More information about the vox-tech mailing list