Jump to content

Support Newer Php Versions


velaware

Recommended Posts

According to here: http://docs.blesta.com/display/user/Requirements Blesta supports PHP versions as low as 5.1.3.

 

Looking at the end of life (EOL) of PHP's releases (http://php.net/eol.php), which means absolutely no support anymore except for MAYBE security releases, here's how it breaks up:

  • PHP 5.1 EOL: August 24, 2006
  • PHP 5.2 EOL: January 6, 2011
  • PHP 5.3 EOL: August 14, 2014

Now there's some points here:

  • Blesta doesn't take advantage of some of the nicer features of PHP 5.3+, namely namespaces (release notes on 5.3: http://php.net/releases/5_3_0.php)
  • The fact that Blesta supports such outdated versions of PHP leaves itself open to some vulnerabilities due to also having to use old/outdated scripts that still support legacy versions as well
  • 5.3's EOL just happened, and has been stated by the PHP team that they are only focused on security updates for it now, and 5.4 is not far behind
  • 5.6 just came out, with talks already of either a 5.7 or finally releasing PHP 7 within the next year or two

There's also the problem that now Blesta has to provide ionCube-encoded files for not only pre-5.5 but also 5.5 and potentially newer versions.  I.e.: I develop with 5.5, and want to upgrade to 5.6 but can't due to this.

 

From a developer standpoint, using more current versions of PHP provides a lot more opportunities to developers (i.e.: namespaces are amazing for a community-driven project like Blesta gives the vibe of).  Granted, compared to WHMCS it already is in a lot of ways, but I feel this is holding Blesta back more than anything.  If hosts are using such archaic versions of PHP to begin with then there's more issues than Blesta can deal with.

 

I simply propose supporting the feature set of 5.3 and higher (at least 5.3), has supporting something that was discontinued 8 years ago to this day does make development for it more difficult than it should.

Link to comment
Share on other sites

You can use 5.1, 5.2, 5.3, 5.4 with the default files.... use the hotfix-5.5 folder contents to overwrite the licensing files... This will allow you to use Blesta on 5.5, 5.6, 5.x

Yes, the point though isn't what can be used, its that for both security and development reasons supporting versions of PHP that are 8 years dead shouldn't be there.  There's a reason why people don't use libraries that haven't been updated in years.

 

In reference to the link you posted/edited afterwards, 5.6 was just released within the past week.  You asked when it was still in testing.  No company should logically support testing-phase software, but now that 5.6 is officially out for everyone ready for production, they should support it.

Link to comment
Share on other sites

Does anyone have a good argument for supporting the older versions? Unless you're running it on the same server as lots of shared hosting clients you should be able to keep PHP updated easily. And if that is the case just put Blesta on it's own VM. I have a VM especially for Blesta/main site and I'm currently running 5.5, upgrading to 5.6 soon.

Link to comment
Share on other sites

Does anyone have a good argument for supporting the older versions? Unless you're running it on the same server as lots of shared hosting clients you should be able to keep PHP updated easily. And if that is the case just put Blesta on it's own VM.

Hell, even put support to 5.3 instead of 5.1.x.  At least 5.3 will still be supported for now, and I don't even know of a host that does (or at least should) support 5.1 or 5.2.

 

Even on shared hosting, if people won't upgrade their sites to use something more stable, then you're putting 10 people at risk to please 1.

Link to comment
Share on other sites

I like.  But will this also bring in the more recent features (namespaces, closures, etc...) to both Blesta's core and the developers, or no?

 

We are going to be making use of PHP 5.3 specific features including namespaces, etc.. however to what extent and when I'll defer to Cody. That is the point really, to raising the minimum requirement.

Link to comment
Share on other sites

Does anyone have a good argument for supporting the older versions? Unless you're running it on the same server as lots of shared hosting clients you should be able to keep PHP updated easily. And if that is the case just put Blesta on it's own VM. I have a VM especially for Blesta/main site and I'm currently running 5.5, upgrading to 5.6 soon.

Generaly (I will explain why I think Blesta is not in this category) it can be problem for hosting companies which have many clents and don-t implement multi php selectors,

I have tons of user that uses ....5.1, 5.2 or 5,3 infact 90% of them ar at 5.3 and lower .But since I implement multi php selectors on all servers including cPanel runing on centos(have  two on centos rest run on cloud linux) it is not problem for me,now why I thnk blesta can be safely be excluded from this ,because it is billing software and 95% webmaster host this kind of softwares isolated and not on same server where clients are(this is essential) so in theory they will not have problem to edit configuration without braking clients.

Link to comment
Share on other sites

Generaly (I will explain why I think Blesta is not in this category) it can be problem for hosting companies which have many clents and don-t implement multi php selectors,

I have tons of user that uses ....5.1, 5.2 or 5,3 infact 90% of them ar at 5.3 and lower .But since I implement multi php selectors on all servers including cPanel runing on centos(have  two on centos rest run on cloud linux) it is not problem for me,now why I thnk blesta can be safely be excluded from this ,because it is billing software and 95% webmaster host this kind of softwares isolated and not on same server where clients are(this is essential) so in theory they will not have problem to edit configuration without braking clients.

While I understand your point, here's basically another way I can think of to look at it:

 

Blesta uses phpseclib to do a lot of (if not all) the encryption and ciphering of sensitive data like CC numbers.  In supporting 5.1.2, Blesta also has to use a version of phpseclib that supports 5.1.2.

 

What this means is that if PHP 5.1.2 isn't compiled with a newer version of say OpenSSL then things in phpseclib and PHP itself that use OpenSSL functions are potentially vulnerable to the hearbleed attack.  Thus rendering any sensitive information completely null.

 

This isn't to say that it would happen this way, but this is a major security risk that shouldn't be ignored until something happens (and Blesta gets blamed for carrying an outdated version of a security library).

Link to comment
Share on other sites

I simply propose supporting the feature set of 5.3 and higher (at least 5.3), has supporting something that was discontinued 8 years ago to this day does make development for it more difficult than it should.

I do not understand.

I run 5.4.31. Blesta works fine.

Link to comment
Share on other sites

You can use 5.1, 5.2, 5.3, 5.4 with the default files.... use the hotfix-5.5 folder contents to overwrite the licensing files... This will allow you to use Blesta on 5.5, 5.6, 5.x

 

Whatever Ioncube supports: https://twitter.com/Licensecart/status/481556538184986625

I applied the hot fix once, but since then i have upgraded Blesta to the new beta.

Does the hotfix have to be applied again after ungrading to the newest version of Blesta beta? Or has it already been added to the newst version?

Link to comment
Share on other sites

While I understand your point, here's basically another way I can think of to look at it:

 

Blesta uses phpseclib to do a lot of (if not all) the encryption and ciphering of sensitive data like CC numbers.  In supporting 5.1.2, Blesta also has to use a version of phpseclib that supports 5.1.2.

 

What this means is that if PHP 5.1.2 isn't compiled with a newer version of say OpenSSL then things in phpseclib and PHP itself that use OpenSSL functions are potentially vulnerable to the hearbleed attack.  Thus rendering any sensitive information completely null.

 

This isn't to say that it would happen this way, but this is a major security risk that shouldn't be ignored until something happens (and Blesta gets blamed for carrying an outdated version of a security library).

Yes,I undestand your point completly and i have nothing to say aganist,I just try to respond at "why woud someone support the older versions?" ,and as I pointed in my post I think blesta in 95% cases is installed on isolated servers and probably only small number of webmasters host it on shared hosting account where potentialy  unsupporting low variant can be issue.But if we consider that many shared hosting providers support also multi php variant and already implement multi php selectors,than we can asume that only small number( in my opinion) woud be afected if they incrase requirements for PHP version.

Link to comment
Share on other sites

Yes it needs to be applied to every version.

Actually only if the app_controller.php and app_model.php files are modified.  Those are the only 2 files I know of in Blesta that are encoded and those are the only 2 in the hotfix folder.  If those files aren't touched the encoding is going to stay the same after all.

Link to comment
Share on other sites

Actually only if the app_controller.php and app_model.php files are modified.  Those are the only 2 files I know of in Blesta that are encoded and those are the only 2 in the hotfix folder.  If those files aren't touched the encoding is going to stay the same after all.

 

The default Blesta is encoded with a old ioncube loader, you replace them with the new ioncube loader files in the hotfix, so it works on 5.4 & 5.5+ when supported.

Link to comment
Share on other sites

The default Blesta is encoded with a old ioncube loader, you replace them with the new ioncube loader files in the hotfix, so it works on 5.4 & 5.5+ when supported.

Yeah but you don't have to plop the hotfix in every single time you upgrade, as long as app/app_controller.php and app/app_model.php isn't overwritten you're good once.

 

Plus the hotfix is only for 5.5 (not 5.6 or 5.4), because with 5.5 ionCube had to do some different stuff.  However the standard Blesta files will work up to 5.4 without having to worry about the hotfix.

Link to comment
Share on other sites

Yeah but you don't have to plop the hotfix in every single time you upgrade, as long as app/app_controller.php and app/app_model.php isn't overwritten you're good once.

 

Plus the hotfix is only for 5.5 (not 5.6 or 5.4), because with 5.5 ionCube had to do some different stuff.  However the standard Blesta files will work up to 5.4 without having to worry about the hotfix.

 

true unless you are doing a upgrade for 3.x.x if it's just 3.2.x you don't as you need the full files for a major upgrade.

3.2.x --> 3.3.x you need to upload the full files.

 

3.2.2 -> 3.2.3 you just upload the patch files.

Link to comment
Share on other sites

As far as I know those files do change every time Blesta is upgraded - if only to update the version number.

 

Yes, you MUST overwrite these files when upgrading. Every single time.

 

Also, to clarify, the hotfix can be applied to PHP 5.4 or PHP 5.5. The standard distribution will work from PHP 5.1-5.4, so it's not necessary to apply the hotfix to PHP 5.4, but you can. Also, there are 3 files, not 2 that are encoded. If you are only seeing 2, you may be looking at a patch where there was no change. Every major or minor release will have all 3 of the files.

Link to comment
Share on other sites

Yes, you MUST overwrite these files when upgrading. Every single time.

 

Also, to clarify, the hotfix can be applied to PHP 5.4 or PHP 5.5. The standard distribution will work from PHP 5.1-5.4, so it's not necessary to apply the hotfix to PHP 5.4, but you can. Also, there are 3 files, not 2 that are encoded. If you are only seeing 2, you may be looking at a patch where there was no change. Every major or minor release will have all 3 of the files.

Thanks for the clarification; didn't know those files were hotfixed every new release of some sort.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...