Re: [RFC][discussion] 5.3 EOL

From: Date: Tue, 08 Jan 2013 13:25:10 +0000
Subject: Re: [RFC][discussion] 5.3 EOL
References: 1 2 3 4 5 6  Groups: php.internals 
Request: Send a blank email to [email protected] to get a copy of this message
On Tue, Jan 8, 2013 at 2:18 PM, Johannes Schlüter
<[email protected]> wrote:

> Separating the two questions is "strange" and can lead to unintended
> results. They should be combined into one. Example assumption: 50%+1
> vote for "One year with security fixes only" but are split between "With
> the next PHP 5.3 release" and "Right after the end of this vote"

Not sure to see where is the issue here. One is about how long we want
to support 5.3 and how, and the other is when this phase will begin.

> Whereas 50%-1 vote for "Two years, one normal fixes and one security
> fixes only" and "With the PHP 5.5 final release"
>
> Then the winner will be "One year with security fixes only" and "With
> the PHP 5.5 final release" which probably wasn't intended by the
> majority.

Good point but not sure how to do it without clutter the 1st part... I
thought that 1st choosing which option and then when to begin (that
does not change the 1st option but when one thinks it is a good time
to announce&begin it).

> Aside from that: I don't think we need "the PHP Security team" to review
> all things, sometimes individual developers can make the choice, too.

It is not what it said, but if the security team defines something as
a security issue.

> And in my opinion this should be more "fluent" where the bar for
> "criticalness" is set higher and higher, instead of suddenly basically
> stopping.

Right, common sense applies here. We both know that.

> In the end we have to deal with two things: On the one side we have
> users, they want a stable platform, they can rely on, without functional
> changes. Many people I talk to don't care much about small bugs with
> easy workarounds, but they care for simple risk-free updates for
> security things (which btw. is a reason why many use distribution
> packages not php.net's)

Same here.

> On the other side are developers, who nowadays have to test 4 branches
> for each essentially trivial fix. This makes the process to verify a
> patch more annoying than it should be. Given that most here are
> volunteers the barrier shouldn't be set too high.

If sec only option is chosen, we should not see too many releases but
every 2-3 months.

> But we've been through this and the both of us won't come to agreement.

We do, but we are not alone. I am for one for two years sec only.

Cheers,
--
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org


Thread (10 messages)

« previous php.internals (#64680) next »