That’s right - thanks to a Freexian subscription, end-of-life versions of PHP are getting extended support!
A PHP version is officially supported for a total of 3 years, with two distinct periods within those 3 years, which are:
After that last year of security fixes, the version is considered to be “end of life” and will no longer receive any bug fixes or security fixes.
With this in mind, we always encourage our Upsun users to use a supported version of PHP to ensure the best performance and security. And the good news is that with our platform, it’s simple to upgrade to the latest version of PHP in just a few steps: branch, update, deploy, test, and merge. Check out this blog where we explain how to do it.
We get it. Being able to upgrade to the latest version of PHP every time a new release is made available isn’t always easy or possible. Projects often involve challenges such as:
That’s why, even with all the tooling and good intentions, many “end of life” versions of PHP are still used widely on production applications. So, what’s the alternative?
Every year, when a PHP version reaches its ‘end of life’ and we receive a lot of enquiries from our customers and partners regarding their application security. Many of them do not want to migrate to a new version of PHP for similar reasons to those mentioned above, but want to know if their applications would still be secure. So we started looking for a solution to provide long-term support for PHP.
The good news is that we found a solution and implemented it. End-of-life PHP will continue to receive security fixes for our users. However, even with our PHP legacy and all of our skilled engineers, we are not PHP maintainers. That’s why we got in touch with Freexian.
Freexian is a service company specializing in Free Software and, in particular, Debian, who offer long-term support for Debian and PHP. Describing their security support as:
Upstream security and stability fixes, as applied to PHP stable releases, are backported to the Freexian LTS-supported PHP releases. This is essentially the same support that upstream PHP provides for their upstream-supported releases, but continued long after upstream PHP stopped supporting them.
We review and triage security issues regularly and apply patches according to impact and compatibility with the older PHP releases. This is done on a best-effort basis. Where an issue is not fixable, mitigations may be recommended.
Many security updates come with regression tests to ensure that they are fixed. These are usually backported with the patch, ensuring their correctness and avoiding future regression.
This is the same level of security support as is provided for PHP packages within regular Debian stable releases, by the same team.
PHP versions are now covered with LTS support without extra charge. Your projects will get the last version when the image is updated, which happens when a project is redeployed or when the SSL certificate is renewed.
To make sure that your projects use an LTS version, you can force a redeploy by using the following CLI command:
Upsun redeploy
Alternatively, in Console, you can:
At the time of writing this blog post, versions retroactively affected by this extended support are PHP 8.3 and 8.4.
The team is actively working on providing the same support on 7.2, 7.4, and 8.0 versions.
We do our best to extend the support for PHP versions, but at the end of the day, older versions will disappear at some point, as it’s possible that someone discovers a security issue that just can’t be fixed and forces us to retire a version.
That’s why upgrading your PHP version, even from one minor version to another minor version, is always a good move and our top tip when it comes to optimizing your performance and security.