Using an unofficial PHP PPA on a production server [duplicate]

ppa php php7

I have a query regarding PHP updates on my Ubuntu servers.

I've noticed that php versions from here https://launchpad.net/~ondrej/+archive/ubuntu/php seem to get updates a lot faster than the official ubuntu PHP packages get updated.

My primary use case is to run PHP production environments on these Ubuntu servers, and although using the official Ubuntu repos would be the usually the best option, would actually using the 'ondrej ppa' be more secure since they get bug fixes and CVE patches a lot faster considering that my primary use case is a PHP server?

Ideally I'd like to update things like this http://us3.php.net/ChangeLog-7.php#7.0.14 soon after they are released by the PHP core team and not wait x months for ubuntu to package it up. The package maintainer of the suggested PPA also seems to be the person who does the official packages for Debian, from what I gather.

What are the practical downsides to using something non-official in production in this use-case? would you not recommend it?

Solution summary

Based on answers from the comments and the selected solution. Canonical apply security patches to the current packaged PHP version. As a result, the official package with Ubuntu is just as secure - but would not contain any extra features the PHP Core team have added- meaning it wouldn't introduce bugs/regression which would be important for many users.

The /~ondrej PPA can be considered trustworthy in this case; with many users relying on the PPA, frequent updates, and the maintainer being one of the core Debian package maintainers.

In my instance, I have opted to use this PPA. as it allows me to utilise features that come with PHP 7.1

Thanks for all your help.


Solution 1:

The package maintainer of the suggested PPA also seems to be the person who does the official packages for Debian, from what I gather.

... is the crucial part for me.

If this is the case all you would need to do is keep track what changes in the crew of the PHP package. When the maintainer quits and someone takes over it might warrant holding back updates until the new maintainer proves him/herself.

What you also should ask yourself: do I need the features the Ubuntu version does not give me yet. If the answer is no don't use that PPA. If the answer is yes you could consider it.

What are the practical downsides to using something non-official in production in this use-case?

You will also pull in bugs quicker. Bugs Ubuntu will not fix for you (since it does not know about it).

Would you not recommend it?

In general: no. In this case: it is probably worth it if you need the extra features.

Related

Uninstall python 3.6
How to make the top bar of my terminal say what command is running?
What are the GCC and clang versions available in Ubuntu 18.04? [duplicate]
Google File Stream functionality on Ubuntu
Why can't I set a default output audio device in Ubuntu 19.10?
RMarkdown error in YAML
Flutter: How to fix overflow in row?
MySQL: Group result of timestamp depending data in columns
How to animate a container that moves from top to bottom and again it should not appear from top to bottom but continue from bottom to top
Android Emulator not running on M1
Why does python say that there is an attribute error for cvzone.Classifier()
How can I draw Yearly series using monthly data from a DateTimeIndex in Matplotlib?