Hi!
What I'm answering is the proposal that removing
support for PHP 5.3
will motivate the user to upgrade their PHP, when that isn't the case.
It may not motivate them to upgrade their PHP if their hosting can not
provide that, but it will motivate them to upgrade their hosting, if the
hosting refuses to upgrade their PHP. Hosting is so commoditized now
that I don't believe one can't find a dozen of PHP hosters literally in
seconds. And most hosters already support multiple PHP versions anyway.
I recall this has been the conclusion reached on this
list previously
- that this will cause problems for MW out in the world, and gain it
an unwarranted reputation for insecurity as un-upgradeable
installations get pwned. Thus, if newer MW still supports older PHP,
this results in less pwned MW. The balance is up to you, of course.
I have hard time buying this argument. If it were true, the strategy of
doing version upgrades and phasing out old version support would not
survive, or at least would be very rare among software vendors, while in
fact most software platform vendors are doing exactly that - phasing out
old versions and requiring upgrading to new versions, all the time, both
in open source and proprietary world. Yet I don't remember any of the
vendors gaining reputation of particularly insecure product because of
such upgrade strategy. I do not see why MW would be an exception.
I think most people that have business talking about security and
evaluating which product is secure and which is not can distinguish the
case of product being flawed from the case of somebody running an
ancient version of the software and never upgrading. Maybe I'm too
optimistic, but I also think solving an education problem by never
educating and staying on ancient versions out of fear that uneducated
FUD may hurt our reputation does not sound like a winning strategy for me.
--
Stas Malyshev
smalyshev(a)wikimedia.org