Published: Wednesday, Sep 2, 2015 Last modified: Thursday, Nov 14, 2024
I like to talk at local Singaporean tech meetups to challenge myself. When I talk vehemently about certain topics, don’t think I actually believe in what I say. I’m overstating on purpose in order to attract debate. I am trying to convince myself as much as you.
Case in point with a talk I gave at the SG PHP meetup group, based on my troubled [[Evergreen_PHP]] post with the slides by Go Present that I never figured out how to fullscreen.
An audience member said, I’m running PHP 5.4 and why should I update?
I retorted with “security reasons” and I made a bad anology with browser updates. Truth is, browsers actually get better over time and I’m not sure PHP does. As for “security reasons”… well .. we all should know by now, “security reasons” is a bullshit answer.
AFAIK there aren’t remote PHP vulnerabilites in reality. In my mind there are two types of PHP security problems:
- Problems in your script, which no PHP security updates will address. You need to fix your script!
- Problems where running a script can compromise the host. Moot point if people run PHP in a single user (just you!) environment.
When I look through PHP CVEs I see type 2 bugs. These bugs are a problem when an attacker runs a script on your machine to compromise it. What’s the chance of that when people do not use shared hosting anymore? It should be ZERO.
Furthermore you should run PHP in a container, like I do with greptweet. There really should be zero chance a compromised container can disrupt the host.
Together the security risks of an non-updated PHP should be very low! So “security reasons” for an PHP update is a stupid thing to say because the risks are so low.
Expanding on the surface area… since PHP is typically deployed with Linux, Mysql & Apache… when was the last remote vulnerability affecting these stacks? It basically does not happen.
Lets move forward
So now I’m thinking a minimal, hardened, frozen environment with PHP 5.4 is actually what I want to deploy my production apps upon. Which distro or Docker image does this? Debian at the time of writing ships 5.6.7 as stable!