GAE PHP - Vulnerability patching strategy?
125 views
Skip to first unread message
Tommie
Feb 24, 2017, 9:11:15 AM2/24/17
to Google App Engine
Hi,
Does anyone know where to find vulnerability patching strategies and/or official documentation on how google keeps its PHP version patched from new CVEs? I'm investigating GAE for a project and i'm finding very little documentation around this.
Thanks!
Tommie
Feb 24, 2017, 9:13:24 AM2/24/17
to Google App Engine
Official docs says PHP is on version 5.5.34. Most recent security update is 5.5.38.
Nick (Cloud Platform Support)
Feb 24, 2017, 1:51:35 PM2/24/17
to Google App Engine
Hey Tommie,
You're right that it appears our docs don't have an explicit page dealing with this question. Perhaps we could write one, and I'll see about getting this request tracked, although I can't guarantee it will occur.
At any rate, the latest update is 5.6.30, which means that even 5.5.38 is many CVE's behind the "state of the art". In order to use a latest-version PHP server, you'll have to administer your own PHP server on Compute Engine or deploy a Custom Runtime app on the App Engine Flexible Environment.
I'll let you know if I have any more useful information to share about the process of selecting the PHP version used in the App Engine production environment.
Cheers,
Nick
Cloud Platform Community Support
You're right that it appears our docs don't have an explicit page dealing with this question. Perhaps we could write one, and I'll see about getting this request tracked, although I can't guarantee it will occur.
At any rate, the latest update is 5.6.30, which means that even 5.5.38 is many CVE's behind the "state of the art". In order to use a latest-version PHP server, you'll have to administer your own PHP server on Compute Engine or deploy a Custom Runtime app on the App Engine Flexible Environment.
I'll let you know if I have any more useful information to share about the process of selecting the PHP version used in the App Engine production environment.
Cheers,
Nick
Cloud Platform Community Support
Nick (Cloud Platform Support)
Mar 1, 2017, 3:35:04 PM3/1/17
to Google App Engine
Hey Tommie,
Just as an update on this topic, I'll give you an idea of what we might consider adding to the documentation page directly to explain our process:
In general, the App Engine team is aware of the desire of the latest version runtime. As mentioned, it's currently possible to implement a custom runtime[1] on App Engine Flex containing the desired runtime.
Just as an update on this topic, I'll give you an idea of what we might consider adding to the documentation page directly to explain our process:
Google takes security and the robustness of our products seriously. Each new version of PHP is tested as a completely new runtime. In order to ensure the environments are secure and durable, extensive testing and development is required.
In general, the App Engine team is aware of the desire of the latest version runtime. As mentioned, it's currently possible to implement a custom runtime[1] on App Engine Flex containing the desired runtime.
Cheers,
Nick
Cloud Platform Community Support
On Friday, February 24, 2017 at 9:13:24 AM UTC-5, Tommie wrote:
Tommie
Mar 2, 2017, 9:01:35 AM3/2/17
to Google App Engine
Hi Nick,
Thanks for getting back to us.
Our main concern is that current PHP-version is so far behind the current "state the art", especially since the current version on AppEngine is from 31 Mar 2016. Which means that we're slowly crawling up on one full year without any updates. Which is a hard sell to my customers which i intend to move over to AppEngine.
While the flexible environment is interesting and look very versatile, it's difficult to consider that as an option as long as Google themself does not recommend it for production use.
Do you have any timeline for the PHP upgrades or when the flexible environment is expected to go out of beta?
Thanks,
Tommie
Nick (Cloud Platform Support)
Mar 2, 2017, 5:40:30 PM3/2/17
to Google App Engine
Hey Tommie,
As usual, we can't speak on any specific timeline for the Flexible Environment going from Beta into General Availability. It definitely depends on what work remains to be done, any unexpected technical problems to solve, etc. As for the PHP runtime and CVE's, I've forwarded this question to some colleagues who work directly with the PHP runtime and we hope to have a more authoritative answer shortly.
As usual, we can't speak on any specific timeline for the Flexible Environment going from Beta into General Availability. It definitely depends on what work remains to be done, any unexpected technical problems to solve, etc. As for the PHP runtime and CVE's, I've forwarded this question to some colleagues who work directly with the PHP runtime and we hope to have a more authoritative answer shortly.
Cheers,
Nick
Cloud Platform Community Support
Reply all
Reply to author
Forward
0 new messages