[Request] Update PHP to 8.3.6 and 8.2.18

[SagePtr]

Frequently asked questions

• [x] I have read Frequenty Asked Questions

Is your feature request related to a problem? Please describe. Request to update PHP to 8.3.6 and 8.2.18

[rfay]

I see these coming through, thanks @oerdnj

I see lots more for amd64 than for arm64

Since your jenkins dashboard is no longer public, could you post a note when the jobs have finished, especially amd64 and arm64 Debian Bookworm?

Thanks!

[oerdnj]

The machine running Jenkins kept crashing when too many jobs are running at the same time, so I had to limit the number of the concurrent jobs. The amd64 is native platform, so it builds much faster.

[rfay]

It looks like the arm64 builds probably failed after doing just 8.3, none of the others have showed up yet. Would appreciate if you could push them again. (Looking for Debian 12 Bookworm arm64 php5.6-8.2)

[oerdnj]

It’s building 8.1 now, but there’s just a single builder running, so it’s all just queued.

[rfay]

I see PHP7.2 on arm64 now, thanks. But so very slow :)

[rfay]

Progress, thanks! php7.2, 8.1, 8.2, 8.3 are there.

[rfay]

Yay, now php5.6 is done, now just missing 7.0, 7.1, 7.3, 7.4, 8.0

Thanks for all your work on this as always!

[oerdnj]

I think I should be able to disable running tests if the guest and host architectures does not match.

Also - any tips for arm64 machine that I could shove into the basement has a lot of memory - at least 32GB (so probably not RPi)?

[rfay]

Would love you to have an arm64 machine. DDEV does use CircleCI for native arm64 builds/tests, it's an option, not sure if that would work out for you.

[oerdnj]

Bought two Orange Pi 5 Plus 32GB, they should arrive at the beginning of the month. Let’s see how successful I am going to be running Jenkins node on those ;)

[rfay]

Making progress, now we have php7.2/7.3/7.4/8.1/8.2/8.3, just missing 7.0, 7.1, 8.0, thanks for keeping these running!

[brandelc]

I only see 8.1.27 and not 8.1.28 in the pool, for example here https://packages.sury.org/php/pool/main/p/php8.1/, am I missing something? Is that still in the queue?

[oerdnj]

I only see 8.1.27 and not 8.1.28 in the pool, for example here https://packages.sury.org/php/pool/main/p/php8.1/, am I missing something? Is that still in the queue?

8.1.28 was released quite late, so I've backported all the security fixed to 8.1.27 and released it as 8.1.27-4:

php8.1 (8.1.27-4) unstable; urgency=medium

  * Backported from 8.1.28
   + CVE-2024-1874: Fixed bug GHSA-pc52-254m-w9w7 (Command injection via
     array-ish $command parameter of proc_open).
   + CVE-2024-2756: Fixed bug GHSA-wpj3-hf5j-x4v4 (__Host-/__Secure-
     cookie bypass due to partial CVE-2022-31629 fix).
   + CVE-2024-3096: Fixed bug GHSA-h746-cjrr-wfmr (password_verify can
     erroneously return true, opening ATO risk).

 -- Ondřej Surý <ondrej@debian.org>  Thu, 11 Apr 2024 23:06:08 +0200

[oerdnj]

@rfay Of course the build process stopped in the middle. Can you check what you still see as missing on your side, please?

[rfay]

AFAICT on arm64 we're still where we were, php7.2/7.3/7.4/8.1/8.2/8.3 are there, just missing new push for 7.0, 7.1, 8.0

Maybe those have no changes?

Thanks as always.

[brandelc]

I only see 8.1.27 and not 8.1.28 in the pool, for example here https://packages.sury.org/php/pool/main/p/php8.1/, am I missing something? Is that still in the queue?

8.1.28 was released quite late, so I've backported all the security fixed to 8.1.27 and released it as 8.1.27-4:

Thank you for the clarification!

[oerdnj]

@rfay I've shuffled my home machines a little bit and the Jenkins is now running on 32-core i9-13900K and is not virtualized inside Proxmox PVE. I hope this will both make the builds faster and stabilise the build machine, so it doesn't shutdown when many concurrent jobs are running.

This will make my development machine slower as I moved back to slightly older machine, but I can probably live with that.

[rfay]

You're awesome, thanks so much!