Updating PHP 7.4 on Ubuntu 20.04 doesn't update to the latest release
I was just trying to install PHP 7.4 on a fresh Ubuntu 20.04,
Doing a simple apt install php php-cli installed the 7.4 version by default,
But when I do apt update && apt upgrade the version is still 7.4.3 instead of 7.4.5!
Please note that I'm aware this can be fixed by adding
ppa:ondrej/phprepository.
I'm just trying to understand, if Ubuntu is shipping with 7.4 by default, why doesn't it update to the latest version? will we always get 7.4.3 in Ubuntu 20.04.0 (not the next point release) even after 2-3 years? and the only option is to add the ondrej/php repository?
Edit: PHP 7.4.6 has been released few weeks ago, but the version on my server is still stuck on 7.4.3.
The previously accepted answer is wrong.
This claim
it's common that some packages remain outdated for a few months
leaves the impression that Ubuntu LTS releases are constantly upgrading to the newest minor version just a few months after the PHP team released them.
That's not true!
Ubuntu's update policy
TL;DR Ubuntu's officially packaged PHP is up-to-date security-wise and out-out-date bug-fix-wise.
Here's how Ubuntu / Canonical actually maintains official packages like PHP:
When Ubuntu prepares an LTS release, there's a feature freeze (details) at some point in time. That means even if the packaged software releases a newer minor version (e.g. to fix bugs) before Ubuntu's feature freeze and after the final LTS release, this minor version update isn't going to find it's way into Ubuntu anymore.
In case of Ubuntu Focal Fossa 20.04 LTS, PHP was frozen at version 7.4.3. That means Focal's php package will never again get a minor release update (e.g. 7.4.6) throughout it's support lifespan.
However, that doesn't mean that Fossa's php package will never ever get updates at all.
SRUs
The contrary is true: it will be patched with these so-called stable release updates or short SRUs.
So what goes into SRUs?
Mainly fixes for high-impact bugs which boils down to security bugs most of the time. See SRUs for what Ubuntu considers high-impact bugs.
Anyway, what you end up with is Focal Fossa receiving multiple patched versions of PHP 7.4.3 throughout its lifetime. In other words, there exist multiple PHP 7.4.3 versions in Focal Fossa as you can see in the package's change log.
It shows multiple versions like 7.4.3-4ubuntu1, 7.4.3-4ubuntu2, 7.4.3-4ubuntu2.5 and so on and you can see that mostly security bugs are fixed.
How to check which version is actually installed?
Problem is that php -v will always report PHP 7.4.3. However, take a look at the details of the output: PHP 7.4.3 (cli) (built: Jul 5 2021 15:13:35) ( NTS ). That it was built Jul 5 2021 already hints that something happened to the seemingly old 7.4.3 version.
To be really sure which version is installed, ask apt: apt policy php7.4.
Output:
In this case 7.4.3-4ubuntu2.5 is installed. Again, take a look at the package's change log to see what's included in that build.
Are all security bugs affecting PHP 7.4 fixed?
Yes.
Comparing with the PHP 7.4 ChangeLog, you'll discover that all security problems (CVEs) except one (afaik just Windows affected) are fixed in the Ubuntu package. Apart from that, just a few non-security bug fixes are included.
Ubuntu's security team is closely tracking the CVE database and maintains its own Ubuntu CVE tracker.
Should you use Ubuntu's official PHP package?
It depends on your situation. I tend to say it's a good default.
Anyway, here are the facts on which you should base your decision:
When you use Ubuntu's official PHP package, you can be sure that it'll receive security updates throughout the lifespan of the actual Ubuntu release (5 years in case of a LTS version like Focal Fossa 20.04). Even when PHP 7.4 reaches end-of-life (end of 2022), Ubuntu's security team will still patch the official php7.4 package. In other words, even if the PHP team no longer release security fixes, Ubuntu's security team will.
When you're using something like Ondrej's PPA in contrast, you'll have to switch to PHP 8 after end of 2022. If you do not, your PHP will get no more security fixes.
While Ubuntu's php package will get security fixes, it will barely get bug fixes of other sorts. Either you're lucky and your software isn't affected or you'll have to work around those bugs. If a bug seriously affects your software (e.g. performance problem), you may consider switching to a PPA package.
- Latest Nursing Home Compare data-set returning no data
- How to make form with two buttons submit a different value for each button?
- twig filter multiple parameters
- SVG image is not loading in canvas in Mozilla browser
- convert Persian/Arabic numbers to English numbers
- Is Laravel-admin 1.8.19 not compatible with laravel 11.8.0? [Your requirements could not be resolved to an installable set of packages.]
- How convert RGBA to HEX6 color code in PHP?
- Symfony4 bundle creation - impossible to generate a config file
- How to force download a .csv file in Symfony 2, using Response object?
- How to use Repository custom functions in a FormType
- Laravel : Log:info in repository not printing values from Input
- why using viewSimple renderer in Phalcon corrupts main renderer
- Search an id and place data corresponding to that id in the same page using codeigniter and ajax.the data cannot place to the fields
- Can't Change property value through a method in a WordPress plugin
- how to return values from a Laravel Sever to React with inertiajs?
- Getting instance of container in custom sonata block
- Getting the HTML source code of an .swf URI
- How can scrape website via PHP that requires POST data?
- PHP Filename cannot be empty how to bypass that in simple html dom line 70
- PHP-ZIP extension is missing on your server. Please install the extension
- Making a CommonController in laravel
- Automatically scroll to bottom as the page loads
- Declare aliases for counts which use the same column with Laravel's Eloquent method loadCount()
- Why loadCount() introduced and its actual usage into laravel
- Nested Eager Loading count
- count with load Laravel
- Laravel Eloquent Lazy Eager Load Count
- Problem with the CakePHP Search Plugin
- Combined two arrays and the result returned has an empty key and value
- Typo3 8.7 return a GLOBAL be_user value from a TCA Override page