Iâm of mixed feelings on this. I think people should be aware of what theyâre doing when going outside of OS-provided packages. You lose the maintenance commitment.
Saying the Remi or Sury or whatever repos are âmaintainedâ is only sort of true. They are maintained in the sense that when updates become available from upstream, they will get rolled out to those repos. But, if youâre running a PHP version that is EOL upstream, Remi or Sury will not backport security fixes. Thatâs a huge job, and not something a small project could do, but it is something an OS vendor like Red Hat or Ubuntu can do (slightly less so for Debian, but Debian can borrow from the commercial vendors), because they have a large team.
Installing an old PHP version from a third-party repo is potentially quite dangerous. It might reach EOL at some point in the future and if you arenât paying attention, youâll be running an exploitable version at that point. With an OS-maintained version, you can be reasonably confident that wonât happen during the life of the OS.
Third-party packages should be used with caution and awareness about the trade offs you are making. Maybe our documentation needs to be more explicit about all that. But, the best choice is running only OS-provided packages. If you must diverge from that, youâll want to do so with careâŠmaybe keep an eye on PHP EOL notices.
I should also mention that any control panel that dumps a bunch of PHP versions on your system by default is putting you at risk, they arenât helping you. Nobody is seriously maintaining PHP beyond the upstream EOL except for the major Linux distros, so if youâre running a PHP version that is EOL upstream, and it came from anyone other than a major distro vendor, youâre probably at risk. PHP 7 is EOL. If youâre running a Remi or Suri version of PHP 7 or any other third party, youâre at risk. Likewise PHP 8.0.
Anyway, my concern is that if we put this behind a button, instead of requiring reading some docs, a whole lot of people are going to go hog wild and install a half dozen PHP versions, as though thatâs somehow better (itâs wasteful of memory, at the very least, even if you donât grab any insecure versions). We already find a lot of folks with a half-dozen versions of PHP, which doesnât even make sense. The vast majority of PHP software runs on a reasonably recent version, and very rarely do you need to go out of your way to get something really old or really new.
Just be careful out there when youâre going off-roading.