Display warning in security & setup warnings if php version is EOL #17919
Conversation
| @@ -69,6 +69,11 @@ | |||
| t('core', '/dev/urandom is not readable by PHP which is highly discouraged for security reasons. Further information can be found in our <a href="{docLink}">documentation</a>.', {docLink: data.securityDocs}) | |||
| ); | |||
| } | |||
| if(data.phpSupported && data.phpSupported.eol) { | |||
| messages.push( | |||
| t('core', 'Your php version ({version}) is no longer supported. See <a href="{phpLink}">php.net</a>. Please upgrade.', {version: data.phpSupported.version, phpLink: 'https://secure.php.net/supported-versions.php'}) | |||
There was a problem hiding this comment.
Maybe we need to formulate this differently?
There was a problem hiding this comment.
Yes, that sentence is a little brash 😆 Also, make sure the capitalisation is correct
Perhaps "Your PHP version {{version}} is end-of-life, and may pose a security risk. We strongly recommend updating to a newer version." No link to php.net necessary IMO.
|
Thanks a lot for the effort @rullzer :-) |
|
Hmmm, but all these LTS version have a way to upgrade PHP to something more recent. |
|
@oparoz Hmm. Actually no. RHEL lately announced a way to get new php version with support. But others not. |
|
Ah. If you need a version supported by the OS vendor itself, then probably not. |
|
@karlitschek I see this as a subtle reminder to admins that they should upgrade from a (potentially insecure) PHP version. ownCloud won't stop working with 5.4, it'll just show this warning. And as we've seen on the forums and elsewhere, people tend to look at the Setup Warnings section a lot more than documentation or release notes 😄 |
|
@karlitschek Indeed I was not planning on dropping PHP 5.4 support (as I know some distro's only ship 5.4). But we should tell people that the version they are using is not maintained and upstream does not support it any longer. I see this as a way to get the people that can upgrade to upgrade. So that if a security bugs pops up (and lets face it that happens in PHP) less people will be affected. Admins running owncloud on a distro that only ship 5.4 probably know this (and know the risks). But then again it might give some people more incentive to complain to their distro. |
|
Thanks @rullzer - we knew this was coming, good to see the issue here. My opinion is that an informed admin is a better admin. Assuming an admin knows that PHP 5.x is no longer supported, they can take the proper action for them - stick with overall server OS vendor supported stack, and keep the older version of PHP, or upgrade. At least then they will know. As this is not about supporting PHP 5.4 with ownCloud for now, since we still support it - rather this is about the challenge of keeping an environment properly updated - I like having a message. That said, we have to be careful with wording. Current wording makes it sounds like ownCloud don't support your PHP version, that is not quite true. We should consider something like: |
|
Is it possible to have a new yellow error message, a caution, rather than a red warning for the message? Then we can adopt the standard error message approach: red=showstopper, yellow=informational but still works, black=nothing to worry about? |
|
@MTRichards +1 for that, but I fear that's a whole other PR... Perhaps leave this one on standby until we have colours available? |
Agreed. I would make the different colors a separate PR. Should not be hard but best to split it. |
|
Agreed. Just getting the updated warning is all good for me. |
| $eol = true; | ||
| } | ||
|
|
||
| return ['eol' => $eol, 'version' => phpversion()]; |
There was a problem hiding this comment.
This feels so wrong. Use the same way of retrieving the PHP version - either PHP_VERSION or phpversion() but please not mixed.
There was a problem hiding this comment.
jikes you are right.. that is dirty. Will fix.
|
A new inspection was created. |
|
🚀 Test PASSed.🚀 |
|
Tested and works 👍 |
|
👍 |
Display warning in security & setup warnings if php version is EOL
As I suggested in #16428 (comment)
When 8.2 comes out php 5.4 will be End of Life and no longer supported (https://secure.php.net/supported-versions.php). This PR makes sure that we warn admins about this, so they can either upgrade or start complaining to their distro to provider newer packages for PHP. Then at least we did what we could if all of a sudden a huge security exploit in 5.4 is discovered.
CC: @oparoz @DeepDiver1975 @karlitschek @LukasReschke