[mapguide-internals] MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

Martin Morrison martin.morrison at edsi.com
Thu Dec 13 05:40:02 PST 2018 

So what will it take to finish the upgrade?  Just testing?

On a side note, what is Autodesk's involvement at this point?  Is everything open-sourced or are they still maintaining control of some aspects?

Martin Morrison     
Infrastructure Application Engineer/Systems Analyst
 Engineering Design Systems, Inc.
540.345.1410
martin.morrison at edsi.com


-----Original Message-----
From: mapguide-internals <mapguide-internals-bounces at lists.osgeo.org> On Behalf Of Jackie Ng
Sent: Thursday, December 13, 2018 8:37 AM
To: mapguide-internals at lists.osgeo.org
Subject: Re: [mapguide-internals] MapGuide RFC 168 - Upgrade Apache, Tomcat and PHP

There are several driving forces at work right now:

 1. PHP 5.6.x will be end of life (it will no longer receive any bugfixes or
support) at the end of this year

 2. PHP 5.6 to PHP 7.x migration of the MapGuide API binding has been a difficult and time-consuming process. While I have the basic groundwork in place for a functional PHP 7 MapGuide API binding (via:
https://github.com/jumpinjackie/mapguide-api-bindings), this binding needs time in the oven to iron out any problems that will inevitably appear when we start porting across existing MapGuide PHP applications on top of this new binding (mapdmin, fusion, ajax viewer, etc)

 3. This has stretched out the release date of the next major version of MapGuide (3.3) that has already been stretched due to diminishing developer resources. We cannot ship 3.3 with PHP 5.6.x

 4. But at the same time, there hasn't been a release of MapGuide (major or
minor) since early April this year. So since 3.3 is still some time away, and 3.1 is still on the PHP 5.6.x series, the very least we can/should do in the interim is to put out a 3.1.2 release and make sure that its bundled copy of PHP 5.6 is the last 5.6.x version before EOL (5.6.39). And since PHP is getting upgraded, we might as well roll in updated Apache and Tomcat as well. This is the motivation for this RFC.

So what does this mean in terms of risk for MapGuide users who roll 3.1.2 out into production (when it comes out)? They'll be running a version of PHP that is no longer supported, but you can say the same thing for any preceding version of MapGuide currently out there.

I guess as long as you lock down the PHP installation on production with a minimal attack surface (only enable the minimally required settings/features in PHP so that the MapGuide PHP applications work and nothing more), things should be fine. If you don't use fusion, mapadmin, or any of the other supporting MapGuide PHP applications, you can remove PHP altogether and be business as usual. If something in breaks in your bundled PHP after 31st December 2018 or new PHP-level security vulnerabilities are discovered after this date, you're on your own. That's the risky part.

- Jackie



--
Sent from: http://osgeo-org.1560.x6.nabble.com/MapGuide-Internals-f4209935.html
_______________________________________________
mapguide-internals mailing list
mapguide-internals at lists.osgeo.org
https://lists.osgeo.org/mailman/listinfo/mapguide-internals

More information about the mapguide-internals mailing list