[meta] Should Drupal 7 drop support for older PHP versions?

🐛 Fix regression caused by ::class constant Fixed was a regression in early PHP 5.x versions caused by a change made in https://www.drupal.org/sa-core-2023-005 →

We're doing a hotfix release for that issue, but I think it's a good illustration that supporting the really old PHP versions is not sustainable.

Without going into too much detail, the process for testing private security patches is different to public issues and it's considerably more laborious (if it's possible at all) to test on every possible PHP version.

I don't think there's a compelling business case for the DA to expend resources on maintaining / improving the testing infrastructure for e.g. PHP versions before 5.6

In https://dri.es/the-end-of-php-5 (November 2018) Dries actually stated that:

Drupal 7 will drop support for older versions of PHP 5 on December 31st, but will continue to support PHP 5.6 ...

Without digging into it too much, that doesn't seem to have happened but it was probably a good plan.

I propose that we put that into action now and officially withdraw support for everything before PHP 5.6

In practice we will not do anything to actively break D7 on earlier PHP versions; this change would really just be recognising the fact that it's not feasible to thoroughly test every patch on all versions from PHP 5.3 up to the latest releases.

Any D7 sites still running on really old PHP versions should update to a more modern supported version as soon as possible.

IMO you shouldn't be supporting anything older than PHP 7.4 at this point given that that is the oldest version of PHP that is still supported. By the end of the year, 2023, only PHP 8.0 and above should be supported. There are far too many known vulnerabilities in older versions of PHP for people to continue to use them.

I agree that versions before PHP 5.6 should not be supported. For reference, PHP 5.6 was released in August of 2014.

Comments from #7 and #8 are valid in most cases, but #3 notes that the enterprise Linux distribution RHEL 7 will continue to support and make security backports to 5.4 through its EoL in June 2024. That means there are very likely going to be enterprise business use cases that can and will use this patched 5.4 version for another year. People on that distribution could use Software Collections to update, but SC is not directly supported by Red Hat, leading to the business decision to stick with 5.4.

But this is just to point out that there can and will be groups that may not be in a position to upgrade regardless of the commented recommendations.

I don't really have an opinion, but if Drupal wants/needs to drop support of older versions due to lack of 'resources', that sounds like a fine plan. As long as it's communicated as effectively as possible so as to not blindside people like with the regression introduced in 7.96, it could prompt people on lingering versions to update in some way, contribute a patch for anyone still interested, or migrate to another CMS.

It should also be noted that support for Drupal 7 itself is going to be dropped at some point. So does it make sense to drop PHP support earlier than dropping D7 support?

Linking the new PSA also here: https://www.drupal.org/psa-2023-06-07 →

This means that we are going to drop support of PHP 5.5 and below from August 2023. This does not mean that we are going to introduce incompatible changes with these old PHP versions intentionally. But keep in mind that there will be no automated testing on these old PHP versions anymore.

I have created a child issue: 📌 Update PHP requirements for D7 according to the PSA-2023-06-07 Fixed to handle all changes mentioned by the PSA-2023-06-07 → .