What is the status of PHP7 and Symbiosis?

I’m getting this warning from my Joomla! sites so would like to upgrade soon.

Your PHP version, 5.6.30-0+deb8u1, is only receiving security fixes at this time from the PHP project. This means your PHP version will soon no longer be supported. We recommend planning to upgrade to a newer PHP version before it reaches end of support on 2018-12-31. Joomla will be faster and more secure if you upgrade to a newer PHP version (PHP 7.x is recommended). Please contact your host for upgrade instructions.

Will Bytemark be waiting for a stable version here

Does anyone have results from installing it themselves?


From this thread, unless anything has changed in the last 12 months, there are no plans for PHP7 until Debian ships it.


Yes, to be clear we only ever make rare exceptions to “backport” software from more recent testing or unstable Debian releases back to stable. When we do, they tend to be providing specific functionality that is required as part of the release. E.g. in our current jessie release, we’ve provided the following packages

  • ruby-acme-client (for Let’s Encrypt)
  • ruby-bindata (for ruby-acme-client)
  • ruby-json-jwt (for ruby-acme-client)
  • ruby-securecompare (for ruby-acme-client)
  • ruby-url-safe-base64 (for ruby-acme-client)
  • ruby-cracklib (to check weak passwords)
  • ruby-linux-netlink (to manipulate network interfaces)
  • prosody-modules (to allow XMPP login via Dovecot auth)
  • squirrelmail-change-pass (to allow people to change email password in Squirrel Mail)

All of this are relatively small packages, unlike PHP :slight_smile: The more software we ship, the more we have to monitor for security vulnerabilities, so it is much easier not to backport, and rely on Debian security updates instead.

Hope this makes sense!



Just to be clear, the Joomla project are only making a recommendation here (despite all the problems some code created in 3.7.0) to upgrade. Suppoer for the current PHP version runs until the end of 2018 so we have more than 18 months to go.


So Stretch is now stable :slight_smile:

Does this mean php 7 will be on the way soon ?


The best answer I can see is in Symbiosis for Debian Stretch (see progress at github).


I gues PHP 7 is now available and supported:


Yup, SymStretch and php7.0 is here :slight_smile: You have to manually enable 7.0 on upgrade (a good thing) and php’s security support ends in early December so you’ll probably want to look at one of the unsupported routes of setting up containers for php7.1+.


Will the version of PHP 7 included with Symbiosis (7.0.30-0+deb9u) be upgraded before its end of life in just two months time?


Aiui, php7.1+ isn’t likely to hit Stretch stable-backports so we’d have to wait for Buster (approx. mid 2019) then SymBuster (approx. 2020, mid-summer).


It looks like 7.0.30 will not receive security updates in a couple of months, or maybe I am mistaken?


Yes, 7.0.* is good until 03 December 2018:


Which is my point. We only have a few weeks before potential security issues. Hopefully there will be an update before then.


I’ve been making that point for months, e.g:

PHP 7.1/7.2 support has been raised at github but the likelihood & timing of any implementation is unknown. It’s safer to assume that we’ll have to go down one of the un/semi supported container routes.


As PHP7 support and security patches end Monday, can we have instructions as to how to move to a supported version of PHP please?


You need to consider a number all factors and take into consideration repercussions there could/would be.

This is LESS a PHP problem and rather more a DEBIAN problem with Symbiosis affected by the problem.

Firstly, what is the issue? PHP Security Support Timescales are too close for comfort!

5.6 * - 31 Dec 2018 < Too close for comfort
7.0 - 03 Dec 2018 < WTF
7.1 - 01 Dec 2019 < More comfortable
7.2 - 30 Nov 2020 < Where most would like to be

You wish to upgrade to the latest (most recent stable) versions of PHP but you are tied to a Symbiosis server…

I can only comment on Debian with Symbiosis (which appears to be most of us) so if you are on another setup this comment may not be appropriate for you.

I have a number of servers (all debian - symbiosis);
1 Running Jessie (for various small client websites)
1 Running Jessie (for 1 larger project I developed & operate)
1 Upgraded from Jessie to Stretch & Upgraded PHP to 7.2.11 (for client which needs security)
1 Clean Stretch install Upgraded PHP to 7.2.12 (for client long term project)

Currently Stretch includes PHP 7.0 (security ends 3rd Dec 2018), this appears to be a problem, it is for me as I am developing a system requiring advanced security only available in PHP 7.2.11+ but I was also concerned by the short support timescale in 7.0 so I was forced into upgrading the server.

Easy & smooth upgrade process for PHP 7 to 7.2 branch was provided by Bytemark Support, it went like a dream.

  1. wget -q -O- | sudo apt-key add -
  2. echo “deb stretch main” | sudo tee /etc/apt/sources.list.d/php.list
  3. apt-get install ca-certificates apt-transport-https
  4. apt-get update
  5. apt-get install php7.2 php7.2-cli php7.2-common php7.2-opcache php7.2-curl php7.2-mbstring php7.2-mysql php7.2-zip php7.2-xml
  6. a2enmod php7.2
  7. a2dismod php7.0
  8. service apache2 restart

Note: You’ll need to be in as root user or add sudo to the start of all them commands.

However it appears that Roundcube no longer works (wasn’t spotted immediately) and needs to be upgraded to the latest version (roundcube are aware of the issue and have repaired it in the latest version). I have users on the server who were using roundcube for webmail but I will now have to investigate other options or suitability of upgrading roundcube which could have issues with Symbiosis.

Bytemark cannot supply any assistance with this as I have stepped outside of the Debian>Bytemark upgrade/updates path and now have unsupported PHP installed.

This is why I said earlier consider repercussions, at present you are stuck with PHP 7.0.30 which is the current level of PHP inside of Debian Stretch, it is up-to Debian when they are ready to offer the more recent versions of PHP and is outside of Bytemarks control.

Hope this helps



Many thanks for your detailed description and advice.

I fully understand the problem lies with Debian and hope they consider changing their mind regarding PHP support. Problem is, stretch has passed the new features stage so I don’t hold out any hope. Very frustrating that PHP 7.0 has already reached end of life.

It has already been mooted by certain development groups that their products will no longer support PHP 7.0 and these groups include some very large and popular CMS packages and the like. I think for many this is a worry.


Can you clarify the issues with Roundcube?
I have followed your steps to update my dev/test machine to 7.2 I had to remove some quote marks from the sources.list file and then I had to install php-apcu and php-gd to keep Nextcloud happy, but when I got as far as checking Roundcube, it seems to be working OK.
Perhaps my testing wasn’t thorough enough. Can you explain what I should be looking for?


Hi @iainharrison

Have you actually logged into an email account through roundcube, that is where the problem occurs.

Roundcube interface (login screen) loads OK but on submit of username & password the page cannot load, when inspecting the logs it is throwing a 50(?) error…

At the time I investigated the issue through Google searches and landed at Roundcubes error reporting pages where somebody else had already reported the issue and a fix had been prepared for inclusion in a upcoming version.

I have not looked at the problem in too much detail since but will look further into it as soon as I can but it is a lower priority at the moment than other work I have pending.

If you are managing to login to Roundcube on PHP7+ I would be interested in hearing your version numbers to see if we match…!




I’m running stock symbisosis stretch with roundcube 1.2.3 & php 7.0 (not for much longer). No issues seen or reported with basic day-to-day use. I’ve read about 7.x issues, e.g., selecting multiple contacts in address books but the reports relate to much more recent versions of roundcube.