EoL PHP Version Warning (and general comments)

XN-Matt

A bit related to the initial chat about old version support in https://community.enhance.com/d/11-supported-php-versions, I feel it would be good to signpost, or at least warn customer about using EoL versions.

PHP 5.6 EoL was 31 Dec 2018 (4+ years ago)
PHP 7.4 EoL was 28 Nov 2022

A lot of customers will just select a version to make their site work, often unaware in doing so poses potential issues, instead of resolving the core issue of their site being kept up to date.

Personally, we have set a timeline of end of year to remove it entirely (in cPanel) but this then is confused by the fact we cannot control what versions to (or not) offer in Enhance. This seems to be dictated than controllable.

In the popup when selecting a version, especially those that are officially EoL - i'd prefer to see a fairly clear warning about selecting such a version, highlighting that it has security risks and give the date when support ended.

Maybe even a check box to confirm they understand the risks when doing so.

Having come across a site today from one customer on cPanel running a 13 year old code base, there has to be a time when a host has to force the issue. Software on a website is no different to that on your computer or phone - you should keep it up to date and there will come a time where if you don't, things move on and you will have to and it will be unsupported.

Allowing EoL versions over 4 years after they were supported shouldn't be a thing, by default.

Aliysa_Enhance

XN-Matt We have a roadmapped feature that i think will help with this. The MVP for the "PHP versions on a per package level" feature will allow you to select which php versions a client can select.

Zoinkies

Aliysa_Enhance still getting packaged PHP this month?

necrom

The rate of application development and deployment does not necessarily keep pace with the rate of language development and I've seen many occasions over the last 20 years when it has been absolutely necessary and workable to be running long past end-of-security lifes in order to give applications time to handle forced deprecations. I agree that the host admin should really have the ability to select the versions installed, versions made available to user, the default version on newly created sites/apps and indeed the naming of those versions (so you may mark one as recommended, latest, supported, unsupported, end of life, ending life soon, beta or whatever other language works for your type of user); but I would not have the control panel causing a forced warning to appear or requiring double confirmation. After the host has decided what they're willing to offer (different hosts invest in different levels of mitigation and have different risk appetites / enhance security model somewhat different to cpanel and others) and the language they use to describe it, then it is really down to the application or the developer to educate the user (as we've seen a push from Wordpress to do).