Passwords app and php support

I’m using Debian 10 with php 7.3.

In the passwords site I found information regarding the php 7.4.
In that information was stated for users with php 7.3 they would have no problems since there would be no update to the application in the store until the php is updated to 7.4.

Thats not what happened.

Nextcloudpi is based on Debian 10 that supports php 7.3.

As a Nextcloudpi user the automatic app upgrade was made and the Password app in the store was for php 7.4 and that broke all the Nextcloud and not only the passwords app.

I needed to restore the last night backup to have Nextcloud working again.

This is not a solution.

Do I need to stay in the Nextcloud version I have at this moment or I will have the same problem in the next update of Nextcloud?

It seems to me that the development of the application is going too fast since users of versions still supported by the distributions they use are being left behind.
For those users the only possible option is to stop using the Passwords application

And no, external software repositories are not a solution since they are not supported by the distribution, in this case Debian.

In my opinion, there is only one path and that goes through abandoning the use of the application.

What are your thoughts?

Do I need to stay in the Nextcloud version I have at this moment or I will have the same problem in the next update of Nextcloud?

Maybe with the next major release, but Nextcloud 20 is still working with PHP7.3. But you should note that PHP7.3 is already in it’s extended security period and will be depreacted on Dec 6th 2021. At some point this year you will have to upgrade your PHP packages. PHP: Supported Versions

Also, since you are using NextcloudPi, which is an appliance, you are kind of dependent on the NextcloudPi developers, if or when the packages are getting updated.

It seems to me that the development of the application is going too fast since users of versions still supported by the distributions they use are being left behind.
For those users the only possible option is to stop using the Passwords application

Passwords is a third party app. This was a decision made by the developer of the app, not by the Nextcloud or NextcloudPi devs. There is also a statement regarding this on the gitlab page of the project: System Requirements · Wiki · nextcloud / passwords · GitLab

As you know security patches are backported in Debian, Ubuntu, Redhat, etc.
Thats why that systems are reliable and the appliances built on top of them have the same reliability.

PHP runtime Nextcloud server system requirements:
7.1
7.2 (recommended)
7.3 (recommended)
In my opinion is expected that a Nextcloud third party app follow the Nextcloud requirements.

Yes, you are right, I´m only a user.
I can only chose if I use or not the app

Yes i see your point. But the way I see it, 3rd party apps are always a bit of a lottery. Also, the development of such an app can theoretically stop at any time. I’m not saying that this will be the case with Passwords. But in my case I have decided, to use only official apps for important things.

With the passwords app having monthly updates since 2018, i think it can be said that support of the app has been pretty consistent. (But yes, obviously no independent developer is required to continue development and can stop at any time)

This thread is more about that the passwords app has stopped PHP 7.3 support in consistency with its system requirement policy after announcing it starting in mid-2020.
But unlike stated before, the update to 2021.1.0 has been offered to users who can’t install it. This is because the appstore is currently not checking the PHP requirement for updates. This issue has been resolved currently by removing the problematic update from the appstore.

@vascocb So here is my take as developer of passwords on your legitimate concerns with the 2021.1 update issue.

Yes, that was obviously what was supposed to happen. I blindly assumed that just like Nextcloud checks the Nextcloud requirement before offering an update, it will also check the PHP requirement. Just like it also does check PHP for new installations of the app. Just like it checks it when you want to enable the app. Just like Nextcloud 21 does in all cases. And just like Nextcloud 20.0.5 will do. Because why would you not do that?

If you had asked for help, i would have explained to you how to downgrade the app and get your Nextcloud working again. You’re not the only one running into this issue. Everyone with PHP 7.3 and 7.2 was.
Here is a guide to downgrade the app.

No. Since many have alerted me of the issue i have pulled the update from the appstore on sunday and will only release it again when the issue is fixed.
The upcoming fix will not only prevent users from installing an unsupported update, but also gives me the option to provide security fixes to users of 2020.12.
Since PHP 7.3 also only gets security fixes, this means your system will receive the same level of support by me as it gets by the developers of PHP.

Debian 9 also still has support, yet noone is complaining about missing PHP 7.0 support. Debian is well known for putting a “b” in “stale” and having others deal with a wide variety of outdated software for the years to come. Debian is a huge software project with enough manpower to support old software for decades.
Passwords isn’t, and therefore i choose to prioritize the development of much wanted features over long term legacy software support from the very beginning. The update policy of the app has been communicated clearly in the system requirements and i would argue that the removal of PHP 7.3 support has also been advertised early and a lot.

From deb.sury.org - the ppa i recommend:

I am a Debian Developer since year 2000, and I have been packaging PHP for Debian since PHP 5. That means the official packages in Debian and Ubuntu are either my work or they are based on my work. The PHP packages in my Ubuntu PPA and Debian DPA matches the official packages in Debian. Basically I am saying that you can’t get any closer than that.

These are not the current system requirements, but PHP 7.3 is still supported and recommended by NC 20.
However Nextcloud specifically offers the option for apps to specify their own requirements in order to give open source devs the ability to advance their apps, which they develop in their free time, at their own pace.
If you want the passwords app to live up to your expectation in terms of system requirements, in the spirit of open-source: make it happen yourself. I’m happy to accept PRs for a 2020 LTS branch.

And here is my rant about any other demand you have.

You’re quoting the Nextcloud 17 requirements which is EOL since october 2020. Until when must i support outdated Nextcloud versions? Since i assume you want to point out that PHP 7.3 is one of the recommended versions, i would like to point out that Debian is not recommended in any version. Ubuntu 20.04 and RHEL 8 are. Which both ship with PHP 7.4.
Also you might notice that some minimum requirements (Oracle DB) are marked with (only as part of an enterprise subscription) which brings us to:

I guess it’s easy to demand support for a total of 144 different software combinations from me when it’s free. But Nextcloud is not free, only the general components are open-source and free software. Anything Nextcloud considers to be an enterprise feature requires a Nextcloud Enterprise Subscription. These features include the supported software stack, update channels and functionality. I have been working on 2020.1.0 since september 2020 and put a lot of time into replacing any deprecated NC api call and testing. DM me and we can discuss Passwords Premium LTS Enterprise Subscription pricing.

This is open source. PHP is very beginner friendly. Head over to my repo and offer your workforce as maintainer of the 2020 branch for future updates.

If you really expect me to never make a mistake when releasing the a new version, then yes. Please do so. As already outlined in the manual, testing a release for every supported software combination is an insane amount of work that i do in my free time. This very issue shows how impossible this is! Things like the app store suggesting updates that don’t work might be obvious after it happened, but really hard to catch if you don’t expect it.

If using PHP 7.3 despite it not being the current version and the developers no longer providing anything but security fixes is no problem for you, i don’t understand why having to use an older version of the app is suddenly me “leaving users behind”.

New releases of Nextcloud often cause users experience failures during updates. When i last tried to update my NextcloudPi, it just died and i had to redo the entire thing. You have had your own fair share of issues with NextcloudPi, yet i can’t see you suggesting that the only fix for this is abandoning it.

I can understand that you’re angry about this issue and you have every right to be.I promised that you can install any update you see worry free and the exact opposite happened because I did not test what i promised at all. I am thankful that the absolute vast majority of affected users were understanding and helpful while i was working out ways to get the issue resolved. I’m also thankful that Nextcloud has developed patches to fix this issue and will also backport them to the upcoming Nextcloud 20.0.5.

What makes me angry is how low you value the time and work of open-source contributors. You would have to wait some time until NextcloudPi does the PHP update for you. Until then you would have to stay on a version of Passwords that was intended to be used that long. The E2E didn’t accidentally land in 2020.12. It’s there so users are not left behind and can use the most wanted feature with the new browser extension even with PHP 7.3 and 7.2. But apparently that’s atrocious and leaves no other choice than to cancel the entire project.
Obviously not having the latest version of PHP is completly ok and the basis of “reliable systems”, but not having the latest version of the app is completely unacceptable. Instead the developer of the app has to support every PHP version that is supported by the largest Linux distribution out there with thousands of contributors and maintainers. Do you even know what that means for me? Supporting PHP 7.0 until 2022, 4 years after all support has been ended by the developers? PHP 7.3 until 2024? And of course PHP 7.0, 7.2, 7.3, 7.4, 8.0, 8.1, 8.2 & 8.3 all in a single code base. I’ll really have a fun full time job figuring out how to support 10 years of PHP development and breaking changes.

I hope that you can somehow understand that i see better uses for my time.

Yes, i understand and appreciate the time dedicated to people like me who don’t know/can do your job

This thread is more about that the passwords app has stopped PHP 7.3 support in consistency with its system requirement policy after announcing it starting in mid-2020.
But unlike stated before, the update to 2021.1.0 has been offered to users who can’t install it. This is because the appstore is currently not checking the PHP requirement for updates. This issue has been resolved currently by removing the problematic update from the appstore.

Yes you are right. My second statement was an addition to my first one and and dosen’t address your app or the issue of the OP in particular. Beside of that, that issue wouldn’t have affected me anyway, because i like my software stack up to date, so I’m running PHP7.4 already. And usually when I had problems with 3rd party apps, the reason was that they were not ready for the new versions, when I wanted to upgrade my Nextcloud or PHP installs. Exactly the opposite of what happened here. You can never please everyone, I guess

Anyways… Thanks for your statement and also the detailed explanations to vascob.

There is a solution to your dilemma: use keepass and sync the encrypted DB of pwords to your cloud. Works perfectly for me. No more worries about NC, and contributors, leaving you in the dust.

I, too, had problems with Nextcloud and PHP versions (not the pword app). Asking for help, I was told the problem was I needed to use PHP 7.4, not possible for me on a shared host. Later, the problem resolved without moving to PHP 7.4 from 7.3. My posts were ridiculed by NC staff, leaving me very disappointed with attitudes exhibited by some on the forum. Sad.

I’m not sure what your post adds here, @private.guy, apart from FUD. Not only has @mdw spend a considerable amount of time to explain the technicalities behind the hick-up in utmost detail (thwarting your general statement about developer attitude), but also is this app the best tended-to and carefully-updated app in the NC universe I know of (better maintained than several of the “official” ones) so suggesting to move to another solution doesn’t help. Apart from that even the OP thanked already for the information given.

Suggest to close topic.

Hi @mdw ,

I understand your arguments and I appreciate the amount of free time you invest in this really well-maintained and from me heavily-used app. Nevertheless I explain my situation before asking.

I really like the passwords app and after Debian released bullseye I updated so php is now on 7.4 which is native.
Ubuntu 20.04 (LTR) had php7.4 nativley about 1,5 years ealier so I really appreciated that there is a legacy support for php 7.3.

After I updated I saw that 7.4 support will be discountued in January 2022, which makes me think about if and how long there will be a 7.4 (legacy) support.
Honestly I do not want to update to php 8.0 if it was not supported natively and using open source only I want to wait until debian has done all its testing to release the next major version properly which will hopefully include php8.0.
This will be in about 2,3 years. A long time.

So any comment on how long you plan to (legacy) support php7.4 will be very much appreciated.

Thank you.

As much as I appreciate Debian and also use it myself, it is just too slow in some things. Especially when it comes to packages like PHP, which you simply want to have up to date for various reasons or possibly even want to have a specific version, depending on what applications you are hosting.

Why not just include the repos from Ondřej Surý to your Debian installation. Then you can decide for yourself when you want to use which version of PHP.

And before you start telling me your perfectly legitimate concerns about 3rd party repos… Ondřej Surý is also the maintainer of the official PHP packages in Debian. So he knows what he is doing… I use he’s repos for several years now, and never had any issues. Security fixes are also provided as soon as they become available upstream from the PHP project.

https://deb.sury.org/

https://packages.sury.org/php/README.txt

@florom The legacy support version is created automatically, so hopefully i will not have much work with it.

My plan is that the LSR build meets the minimum requirements of the lowest supported NC version. That is currently NC 20 with PHP 7.2. Unless Nextcloud drops PHP 7.4 support faster than usual, the LSR version would likely support it until the end of 2023.

However, for the security of your server and the data stored on it, i would recommend that you do not run any version of PHP which is considered end of life by the PHP developers. For PHP 7.4 that will be in December 2022.

Security fixes are getting backported to older versions in Debian. As far as I know this is done by Ondřej Surý himself But yes in general I agree with you, see also my previous post.

Hi,

@bb77

Ok, it makes think if I might adapt my php strategy.

@mdw

That is good news. Thanks.

I have not read the whole thread.

But normally you only use the php version included in the actually used Debian/Ubuntu version.

Debian Buster (2019): PHP 7.3
https://packages.debian.org/de/buster/php
Debian Bullseye (2021): PHP 7.4
https://packages.debian.org/de/bullseye/php
Debian Bookworm (2023): i think PHP 8.x
(actual not, PHP 8.0 is only in experimental)

Ubuntu 20.04 (2020): PHP 7.4
Ubuntu – Informationen über Paket php in focal
Ubuntu 22.04 (2022): PHP 8.x
(Ubuntu 21.10 uses PHP 8.0, please do not use it for installing Nextcloud)

Please use only LTS releases for nextcloud server.
Most of the time it is not necessary to install a different php version.
I think Nextcloud is optimized for Ubuntu/Debian releases with the included php versions.

Hi @bb77 @mdw ,

After this statement

I am rethinking again if my strategy is the recommended one.
Never the less I read that php8.0 is still experimental (in the eyes of the debian developers) and therefore will be shiped in about 5 years.
For now php7.4 is still full supported and securtity fixes will be provided a long time too.

Thanks again for clarifying.

I hope it will be shipped with Debian Bookworm in 2023.

Now i found PHP8.0 in Sid.

I hope too.

I followed the links above and checked myself for Bookworm and Sid