[SR][WP] Warn about EoL PHP versions.

[klonos]

This was brought up in Gitter...

@serundeputy:

https://www.zdnet.com/article/wordpress-to-show-warnings-on-servers-running-outdated-php-versions/ Interesting how the notices encouraged and brought to action site upgrades to PHP;

---

PR by @klonos: https://github.com/backdrop/backdrop/pull/2483

[klonos]

[klonos]

...setting milestone candidate for 1.13.

PS: @jenlampton is this the process for setting all milestones, or only for next bug fix?

[findlabnet]

Just to be as D8? Any normal long-term supported Linux distro have regular security patches for included PHP version. Someone do upgrade PHP itself without needs of some version-specific feature? Hmm...

[olafgrabienski]

... your site is running on an insecure version of PHP. (from the help text in the screenshot)

How would we detect insecure PHP versions? Some hosting services have custom PHP versions with security fixes.

[klonos]

The PR assumes that any php version lower than 7.1.0 is insecure.

I understand the argument of LTS versions of linux, hence this is merely a warning; not an error. We could replace the your site is running on an insecure version of PHP with something less "scary", and also be more vague. How about this:

Backdrop has detected that your site is running on a version of PHP 7 that has reached End of Life, so your site may be exposed to unpatched security vulnerabilities. Although Backdrop is compatible with this version of PHP, it is recommended to upgrade to a supported version as soon as possible.

In case of php5, we could be also mentioning the performance gain of upgrading to php7, same as what the goal of Recommend PHP 7 in System Requirements documentation is:

PHP 7 provides widely recognized significant performance benefits. We also need to do our part to make sure hosts don't get complacent. Drupal was a leader in the successful GoPHP5 movement which brought PHP hosts, and thus development, into the 21st century, a mere 10 years late. With WordPress, a laggard in the PHP5 movement, now stepping up and strongly recommending PHP version 7, it's time for Drupal to do the same ...

...so how about something like this for php5:

Backdrop has detected that your site is running on PHP 5, which has reached End of Life, so your site may be exposed to unpatched security vulnerabilities. Although Backdrop is compatible with this version of PHP, it is recommended to upgrade to PHP7 as soon as possible, to benefit from its widely recognized significant performance benefits.

[findlabnet]

Sorry, but if I cannot say something definitely, I prefer to keep quiet. So much ado about nothing anytime, lets try to be no more informative than it can be needed.

[docwilmot]

I agree we should send a message to the site owner. I dont think we need different messages per PHP version.

How would we detect insecure PHP versions? Some hosting services have custom PHP versions with security fixes.

We could say your site may be running an insecure version. I think though the majority of the details can be on BackdropCMS.org and just link to it from the message. So:

Backdrop has detected that your site may be running on an insecure version of PHP. Please see our PHP documentation if you need further information.

[klonos]

Backdrop has detected that your site may be running on an insecure version of PHP. Please see our PHP documentation if you need further information.

I like that ^^ @docwilmot 👍

...an alternative could be what we already have in our README:

Even if Backdrop can run on older versions of PHP, we strongly recommend that you use a supported version of PHP.

[docwilmot]

If the site is already running, it can safely be assumed that Backdrop can run on it, so I dont think we need to say that. :smile:

[klonos]

So, saying that the version is insecure might not be the case 100% of the times, because certain LTS distros still backport security fixes, and there is no easy way to detect that. How about we simply state the fact, which is that the detected version has reached EoL?

I think that we should still support the "Go PHP7" movement, and one fact is that php7 has proven to be considerably faster than php5 (just look at the time it takes to run our php5 vs php7 tests). So how about this instead:

Backdrop has detected that your site is running on a version of PHP that has reached End of life status. We strongly recommend to upgrade to a supported version, in order to take advantage of all the security and performance improvements.

...either that, or change the second sentence of that text to something along the lines of:

...Backdrop runs better/faster on php7.1+.

What do you guys think?

...ping @jenlampton re wording 😄

[olafgrabienski]

@klonos I like that the text with "End of life" which mentions security and performance improvements without mentioning a certain PHP version. Maybe we can shorten it a bit, removing the phrase "Backdrop has detected that" (which makes the impression we would keep people under surveillance) and the filler words "all the".

Your site is running on a version of PHP that has reached End of life status. We strongly recommend to upgrade to a supported version, in order to take advantage of security and performance improvements.

[olafgrabienski]

The PR assumes that any php version lower than 7.1.0 is insecure.

If we merge the PR, we need a reminder for 1 Dec 2019 when PHP 7.1. security update support will end.

[klonos]

Excellent suggestions re the wording of the message @olafgrabienski 👍 ...I have updated the PR:

If we merge the PR, we need a reminder for 1 Dec 2019 when PHP 7.1. security update support will end.

The way I have implemented this, there is a MINIMUM_SUPPORTED_PHP_VERSION_ID constant, which is currently set to 70100 (I have left the BACKDROP_MINIMUM_PHP constant as is, because). All we need to do on Dec 1, 2019 is to change the single line of code to 70200 😉

[docwilmot]

My problem with this wording though is that you are now depending on the user to click a link to find out that their PHP is insecure. I may not click that link. I prefer the WP wording.

[olafgrabienski]

My problem with this wording though is that you are now depending on the user to click a link to find out that their PHP is insecure. I may not click that link. I prefer the WP wording.

Comparison:

WordPress has detected that your site is running on an insecure version of PHP. (...)

Your site is running on a version of PHP that has reached End of life status. (...)

What's the advantage of the WordPress wording? In my opinion, it seems more clear at first sight but it doesn't contain more information. Also, it doesn't take into account that a PHP version may be patched.

[docwilmot]

My point is that seeing the word "insecure" is more likely to result in action than "End of Life" because the latter requires further reading to figure out what that means.

[olafgrabienski]

Okay, I see! What about something like this:

Your site is running on an insecure version of PHP (unless it receives security patches, e.g. by your hosting provider). We strongly recommend to upgrade to a supported version, in order to take advantage of security and performance improvements.

[klonos]

OK, I'll wait for a few more people to chime in before I update the PR again 😅

[klonos]

I like how ClassicPress is handling things, and the wording they are using here:

Increase the Minimum PHP Version to 7.x WordPress has been burdened with the need to maintain compatibility with PHP versions below 7.x. This has led to lower quality, bloated code.

ClassicPress is taking a measured approach to introducing PHP 7, as follows:

• We will use a PHP version check to make sure the site being upgraded is compatible with the new version. If the version check doesn’t pass, then we’ll block the upgrade, similar to how the migration plugin works today.
• As we get closer to version 2 release, we’ll take a look at the distribution of PHP versions on ClassicPress 1.x sites.
• In a ClassicPress 1.x release, we’ll include a prompt to upgrade older PHP versions. This should help move the needle further and encourage more users to upgrade.
• We’ll use the results from the active installation numbers, as well as the PHP support timeline, to decide on a minimum PHP version for ClassicPress v2.x. It may be as high as PHP 7.2 or 7.3, but we need more information about active installations and support timelines before any decisions are made.

If this approach works well as we move from Version 1 to Version 2, it should be an approach that we can repeat with each major version of ClassicPress.

[klonos]

Cross-referencing #4617, which I think will help here 😉

[indigoxela]

Fun fact: your status page screenshot shows a php package from deb.sury.org - which still supports and updates several EOL php versions (5.6 and up to 7.4).

That and the fact that several Linux distributions also backport security patches makes it relatively hard to figure out what version actually is insecure.

A 7.0 version that still gets loving care by a distribution and is up to date with it can be more secure than a 7.4 compiled half a year ago. Tricky details... :wink: