Menu
I was just trying to install PHP 7.4 on a fresh Ubuntu 20.04,
Doing a simple apt install php php-cli installed the 7.4 version by default,
But when I do apt update && apt upgrade the version is still 7.4.3 instead of 7.4.5!
Please note that I'm aware this can be fixed by adding
ppa:ondrej/phprepository.
I'm just trying to understand, if Ubuntu is shipping with 7.4 by default, why doesn't it update to the latest version? will we always get 7.4.3 in Ubuntu 20.04.0 (not the next point release) even after 2-3 years? and the only option is to add the ondrej/php repository?
Edit: PHP 7.4.6 has been released few weeks ago, but the version on my server is still stuck on 7.4.3.
687
The previously accepted answer is wrong.
This claim
it's common that some packages remain outdated for a few months
leaves the impression that Ubuntu LTS releases are constantly upgrading to the newest minor version just a few months after the PHP team released them.
That's not true!
TL;DR Ubuntu's officially packaged PHP is up-to-date security-wise and out-out-date bug-fix-wise.
Here's how Ubuntu / Canonical actually maintains official packages like PHP:
When Ubuntu prepares an LTS release, there's a feature freeze (details) at some point in time. That means even if the packaged software releases a newer minor version (e.g. to fix bugs) before Ubuntu's feature freeze and after the final LTS release, this minor version update isn't going to find it's way into Ubuntu anymore.
In case of Ubuntu Focal Fossa 20.04 LTS, PHP was frozen at version 7.4.3. That means Focal's php package will never again get a minor release update (e.g. 7.4.6) throughout it's support lifespan.
However, that doesn't mean that Fossa's php package will never ever get updates at all.
The contrary is true: it will be patched with these so-called stable release updates or short SRUs.
So what goes into SRUs?
Mainly fixes for high-impact bugs which boils down to security bugs most of the time. See SRUs for what Ubuntu considers high-impact bugs.
Anyway, what you end up with is Focal Fossa receiving multiple patched versions of PHP 7.4.3 throughout its lifetime. In other words, there exist multiple PHP 7.4.3 versions in Focal Fossa as you can see in the package's change log.
It shows multiple versions like 7.4.3-4ubuntu1, 7.4.3-4ubuntu2, 7.4.3-4ubuntu2.5 and so on and you can see that mostly security bugs are fixed.
Problem is that php -v will always report PHP 7.4.3. However, take a look at the details of the output: PHP 7.4.3 (cli) (built: Jul 5 2021 15:13:35) ( NTS ). That it was built Jul 5 2021 already hints that something happened to the seemingly old 7.4.3 version.
To be really sure which version is installed, ask apt: apt policy php7.4.
Output:
In this case 7.4.3-4ubuntu2.5 is installed. Again, take a look at the package's change log to see what's included in that build.
Yes.
Comparing with the PHP 7.4 ChangeLog, you'll discover that all security problems (CVEs) except one (afaik just Windows affected) are fixed in the Ubuntu package. Apart from that, just a few non-security bug fixes are included.
Ubuntu's security team is closely tracking the CVE database and maintains its own Ubuntu CVE tracker.
It depends on your situation. I tend to say it's a good default.
Anyway, here are the facts on which you should base your decision:
When you use Ubuntu's official PHP package, you can be sure that it'll receive security updates throughout the lifespan of the actual Ubuntu release (5 years in case of a LTS version like Focal Fossa 20.04). Even when PHP 7.4 reaches end-of-life (end of 2022), Ubuntu's security team will still patch the official php7.4 package. In other words, even if the PHP team no longer release security fixes, Ubuntu's security team will.
When you're using something like Ondrej's PPA in contrast, you'll have to switch to PHP 8 after end of 2022. If you do not, your PHP will get no more security fixes.
While Ubuntu's php package will get security fixes, it will barely get bug fixes of other sorts. Either you're lucky and your software isn't affected or you'll have to work around those bugs. If a bug seriously affects your software (e.g. performance problem), you may consider switching to a PPA package.
83
Kindly use below code to update php 7.4.15
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install -y php7.4 php7.4-cli php7.4-common php7.4-fpm
sudo apt-get install -y php7.4-mysql php7.4-dom php7.4-simplexml php7.4-ssh2 php7.4-xml php7.4-xmlreader php7.4-curl php7.4-exif php7.4-ftp php7.4-gd php7.4-iconv php7.4-imagick php7.4-json php7.4-mbstring php7.4-posix php7.4-sockets php7.4-tokenizer
sudo apt-get install -y php7.4-mysqli php7.4-pdo php7.4-sqlite3 php7.4-ctype php7.4-fileinfo php7.4-zip php7.4-exif
sudo nano /etc/php/7.4/fpm/php.ini
Find: cgi.fix_pathinfo => Remove semi-colon and set 0
cgi.fix_pathinfo=0
Save & quit
php -v
your php version has updated.
6
Ubuntu official repository shows that the 7.4.3 is the latest available version. So that's not a problem with apt or caching as suggested by @blizzo.
Since we are talking about a LTS release of Ubuntu, it's common that some packages remain outdated for a few months due to stability reasons. (Even patch versions can introduce bugs that make thinks unrealiable, and LTS is meant to be very stable and realiable)
As you wrote on the original question, the best solution is using the ondrej/php repository.
Edit:
I asked to ondrej about it and he gently answered with this link: https://wiki.ubuntu.com/StableReleaseUpdates that says:
Once an Ubuntu release has been completed and published, updates for it are only released under certain circumstances, and must follow a special procedure called a "stable release update" or SRU.
2. When
2.1. High-impact bugs
Stable release updates will, in general, only be issued in order to fix high-impact bugs.
2.2. Other safe cases
...
5
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
