[MediaWiki-l] MediaWiki-l Digest, Vol 147, Issue 3

Tim Starling tstarling at wikimedia.org
Mon Dec 7 02:54:32 UTC 2015


On 05/12/15 06:52, Jan Steinman wrote:
> I'm not exactly a "noob", but I haven't kept up with PHP changes --
> what is running is running, so why change?

It is important to keep up with security releases. If your server is
compromised, it can be used to host fraudulent websites, participate
in DDoS attacks and send spam. The criminals of the internet depend on
people like you who don't care about security. You are an essential
part of their infrastructure.

> So I was just punting on the "how long will it take to upgrade?"
> question. (I said "More than an hour", because just finding out the
> impact will take that long!)
> 
> So what exactly is the expected impact of upgrading PHP 5.3.8 to
> 5.5 or greater? (Note: I'm now officially in that "more than an
> hour" of upgrading.)
> 
> Having been stung by various upgrades over the years, I tend to not
> touch stuff that isn't broken. I'm running several MediaWiki sites
> between 1.13 and 1.16. I'd sorta like to upgrade, but I don't know
> what that buys me, and y'know, they're all working... :-)

I can't say I have tried to run MediaWiki 1.13 (released in 2008) on
PHP 5.5. Maybe it would work.

I was just looking for my notes on how hard it is to upgrade
MediaWiki. It looks like I had a similar conversation with you back in
2008, about upgrading from 1.3! Good times.

Note that 1.3 -> 1.13 was a gap of 4 years, and it's now been another
7 years after that. So maybe it is about time for another upgrade?

Normally, upgrading PHP is very simple, because by the time you
upgrade PHP, you've already upgraded MediaWiki to a version which has
been tested on the new version of PHP. Your case is not normal. That
is the price you pay for upgrading MediaWiki as often as other people
paint their houses.

I think you should take your site down for "scheduled maintenance",
and while it is down, upgrade PHP and any other dependencies such as
MySQL and the rest of the Linux distro, and then upgrade MediaWiki to
1.23. That is, don't bother testing MW 1.13 on PHP 5.5, it doesn't
matter if it doesn't work if you are halfway through an upgrade.

If you really hate upgrading things, you should take steps to make it
easy. Use PHP from an Ubuntu LTS package, don't compile your own. Use
unattended-upgrades to get security releases automatically. Don't
change any files that were distributed with MediaWiki.

-- Tim Starling




More information about the MediaWiki-l mailing list