Ok, that title’s a bit harsh but I’m pretty tired after rasslin’ with a PHP upgrade all weekend and this is my chance to vent now that the worst of the damage has been repaired. And perhaps wax a little philosophical about the open source world’s need to get better at figuring out upgrade management.
It all started with an attempt to install MediaWiki on my trusty Windows 2003 server and the discovery that it really didn’t like the idea of running under PHP4. So, being an up-to-date kinda fella, I figured it was time to upgrade to PHP5. First observation — I defy you to find a coherant step by step process to do this on the www.PHP.net website. Now you LAMP (Linux, Apache, MySQL, PHP) bigots may find this hard to swallow, but getting instructions to upgrade Microsoft server software is a comparative breeze (from Microsoft and 3rd-party sites).
I finally test out a few different cookbooks on a brand new VMWare virtual 2003 server and, after about 3 tries, come up with a sequence of steps that I think will work and provide me a roll-back path if they don’t. So, it’s off to the “real” server to do the upgrade. Where I discover that upgrading to PHP5 breaks some of the blogs (most notably, WordPress blogs). So, after discovering that the roll-back process doesn’t work after all, I press on and fix the blogs (upgrading them manually because I can’t get into the blogs to turn off the features that block the automatic upgrade).
Now, for me a person with strong geekish tendencies who was trying to stay inside on this incredibly hot weekend, this provided endless puzzles to solve and wasn’t generally a terrible thing. But here’s the second observation — if you’re a normal person (or a business that has better things to do), this process would be hair-raising and it would teach you NOT to mess with a functioning configuration.
Which, from a security/vulnerability perspective is a Very Bad Thing. Here’s a tip for all you hacker/cracker types out there. There are going to be lots and lots of aging LAMP systems out in the world that are going to be really out of date over the next few years. If I were you, I’d start learning how to break into those systems because a) they’re probably a lot further behind on their patches than MS auto-updated systems will be, b) the people who are running them are going to get more and more clueless about how to monitor those systems for intrusion, c) it’ll take them a really long time to get around to fixing them, because d) a lot of them will never be able to get through the upgrade cycle.
Open Source be great, but as we non-tech public become administrators of these hard-to-maintain systems, there’s going to be a fine mess you bet.