Who is the behind Webtatic repository and do you trust it

Back when I first started as a Linux admin 8 years ago I used to use a popular third party repository to upgrade my LAMP stack. It was run by a single individual. One of the primary reasons was developers pressuring me for a newer version of PHP than what came with RHEL 5. It ended up biting me.

The person abandoned the repositories so I was no longer getting security updates, but I also could not remove all the newer packages and go back to the RHEL packages due to the RHEL version of PHP being from too old a branch. Moving to that repository's LAMP stack touched at-least half a dozen packages or more. So, maintaining those packages and recompiling them all by hand from time to time would be a major PITA.

You also lose the ability to use the OS vendor's security advisories regarding CVE vulnerabilities to determine whether your system is or is not vulnerable to a certain exploit for those packages. This proved to be a major problem for me years later, even though I would have never anticipated at the time.

So, in addition to having trust in the maintainers integrity and technical skills, you have to ask yourself whether you trust them not to move on to a new job that wont allow them to maintain the repository, or get married and have kids and no longer have time, etc....

Since then I have been very skittish about using any third party repositories, especially those that only have one person running them.


The question is not if we trust Andy, it is if you trust Andy.

I'm not familiar with the repository but the donation button suggests a personal effort. Feel free to contribute if it has value to you.

Packages look to be GnuPG signed, so it is possible to verify with some certainty the packages are authentic. You can also check if he is on the web of trust.

Regarding quality or security, its best if someone else has a look at how the repository is doing. This could be you. Subscribe to the upstream security advisories and check if they are affected. Evaluate the packages as a reviewer would for Fedora.

If continuity of these packages is important to you, acquire similar skills. Learn packaging or hire someone who can.


Remi is the standard for latest builds of PHP for RHEL. He is a long established and reliable source for RPM packages that's being actively maintained and includes as many relevant packages as possible.

The webtatic source is unknown and untrusted. It shouldn't be used at all.

I found it running on a legacy system. It had a serious memory leak in it. I replaced it with Remi, exactly the same PHP version and suddenly everything's running smoothly. I don't think it's even a stable compile.