Using an unofficial PHP PPA on a production server [duplicate]
I have a query regarding PHP updates on my Ubuntu servers.
I've noticed that php versions from here https://launchpad.net/~ondrej/+archive/ubuntu/php seem to get updates a lot faster than the official ubuntu PHP packages get updated.
My primary use case is to run PHP production environments on these Ubuntu servers, and although using the official Ubuntu repos would be the usually the best option, would actually using the 'ondrej ppa' be more secure since they get bug fixes and CVE patches a lot faster considering that my primary use case is a PHP server?
Ideally I'd like to update things like this http://us3.php.net/ChangeLog-7.php#7.0.14 soon after they are released by the PHP core team and not wait x months for ubuntu to package it up. The package maintainer of the suggested PPA also seems to be the person who does the official packages for Debian, from what I gather.
What are the practical downsides to using something non-official in production in this use-case? would you not recommend it?
Solution summary
Based on answers from the comments and the selected solution. Canonical apply security patches to the current packaged PHP version. As a result, the official package with Ubuntu is just as secure - but would not contain any extra features the PHP Core team have added- meaning it wouldn't introduce bugs/regression which would be important for many users.
The /~ondrej PPA can be considered trustworthy in this case; with many users relying on the PPA, frequent updates, and the maintainer being one of the core Debian package maintainers.
In my instance, I have opted to use this PPA. as it allows me to utilise features that come with PHP 7.1
Thanks for all your help.
Solution 1:
The package maintainer of the suggested PPA also seems to be the person who does the official packages for Debian, from what I gather.
... is the crucial part for me.
If this is the case all you would need to do is keep track what changes in the crew of the PHP package. When the maintainer quits and someone takes over it might warrant holding back updates until the new maintainer proves him/herself.
What you also should ask yourself: do I need the features the Ubuntu version does not give me yet. If the answer is no don't use that PPA. If the answer is yes you could consider it.
What are the practical downsides to using something non-official in production in this use-case?
You will also pull in bugs quicker. Bugs Ubuntu will not fix for you (since it does not know about it).
Would you not recommend it?
In general: no. In this case: it is probably worth it if you need the extra features.