[cperciva]

I can't speak for Ubuntu, but when I was FreeBSD Security Officer we would regularly backport patches because importing an entire new release would regularly break existing functionality or even add new security vulnerabilities. It annoyed the heck out of vulnerability scanning tools, but I decided that giving users a system which didn't randomly break when they applied security patches was far more important.

[CiPHPerCoder]

That was years ago, IIRC.

PHP has gotten better about "no BC breaks in patch versions" over the years, but the Debian/Ubuntu teams still insist on making people effectively run e.g. 7.1.8 while the version indicator says 7.1.1.

It makes feature detection a nightmare.

[rlpb]

Ubuntu developer here. Huh? No, we don't. Can you provide a more specific and current example to make sure I don't misunderstand you?

For example, the current package for Ubuntu 16.04 LTS is 7.0.22-0ubuntu0.16.04.1. How does this mismatch 7.0.22 from the PHP upstream project?

[CiPHPerCoder]

Okay, maybe Ubuntu stopped being stupid and only Debian is still guilty of this?

This used to be a huge problem. I've since convinced [most PHP devs I talk to] to stop using distro-provided packages, in favor of deb.sury.org.

[rlpb]

Ubuntu and Debian's PHP packages are largely the same.

> I've since convinced [most PHP devs I talk to] to stop using distro-provided packages, in favor of deb.sury.org.

You do realise that Ondřej Surý (of sury.org) is the primary Debian PHP maintainer? The point of his repositories (AIUI) is to allow users to mix and match PHP versions. The downside is that he's one person with (AFAIK) a bus factor of 1 when it comes to security updates. That's irresponsible to use in production.

In contrast, Debian and Ubuntu's PHP packages, essentially provided by the same person, has in addition teams (both in Debian and Ubuntu) who can pitch in when required.