iirc if you click on the close icon in the message then it will disappear

It's a plugin that can be disabled too.

Ok good, can close the message :) But can the text be changed ?

@markboos - Why? The text in the alert is factual. If the message is bothering you, disable the plugin

I tried to explain the why, I think the message in this form is creating unnecessary unrest about security of PHP 5.6. If i am alone in this, well... then I withdraw :)

It's not aimed specifically at PHP 5.6. The logic is pretty generic across all PHP branches (5.6 is a special case because of its elongated security support status).

PHP's general rule is 2 years of bug fixes and 1 year of security, then end of support. So the plugin's logic starts giving the notification when the release hits the security phase because it generally only has a year of support remaining. 5.6 ended up getting an extra year of security support, so it's causing the message to display for longer than it normally would.

I'd like to comment on this. Now that we're upgrading sites to 3.7, the site owners are starting to see this message and it is creating some unnecessary support effort to talk it through with them. We do have a plan to upgrade the PHP versions, but not just yet.

So I am finding myself agreeing with the OP on this one: PHP 5.6 still has more than a year and a half of support remaining, so the message is perhaps a little premature.

I know PHP 5.6 is a special case with elongated support, but I suspect they're likely to do the same again in the future (ie maybe with the last PHP 7.x before PHP 8?), so wiring in some kind of provision for long-term-support versions would seem to be sensible. Maybe we could still show something, but make the message a little less "scary" for admin users if there's more than 9 (12? 6?) months' support remaining.

Anyone's free to propose a pull request. The only thing I'm going to draw a line at "not allowed" on is manipulating the data array which uses the dates for each support phase from the PHP project itself (so no changing the security support date for PHP 5.6 just to remove the message). If someone feels there is a need to handle things differently with "special" cases, that must be provisioned in a different way into the plugin.

I also feel too much energy is going into explaining customers that the message is nothing to worry about and that Joomla is showing that too early (which is my opinion that I tell my customers).
Having this as a post-install message that you can disable once with one click in the BE would be good enough until three month before expiry of the security support.
After that a nagging message like that might be helpful for the last few percent. So I would like to "manipulate the data array" a bit to cut it down to three month. That should be enough time to flip the switch, since at that stage all plugins and providers should anyway have not problem with that anymore.

It's not an urgent matter, but it could safe a lot of time if this would be thought of in future versions.

The data array shouldn't be manipulated. It is a straight copy of the support dates from the PHP project for each version branch. Anything we do should be based on those dates which is why the array holding that data shouldn't be manipulated. If anyone wants to create a proposal for a different approach, go for it, but do NOT change the dates that the plugin uses to suit your needs; create custom logic in the PHP code based on those dates.

Ok, got it, that data is retrieved from a fixed source. So using only the eol value minus a number of days could do the trick. The first value would just not be used for the time period of showing it in BE.
So a message like this could be derived from the data array.
Today ist the 01.10.2018 (actual date). Your PHP version gets only security fixes since 01.01.2016 (security value) and it is 90 days before the expiry of security support on 31.12.2018 (eol value). PHP (php version) will not be supported after that day and is in high risk of being vulnerable.

I agree with @StefanSTS that this message is causing my customers to worry about things that are not that pressing at this time.

@Llewellynvdm - but then if notices are never displayed, how do we get people to updated their PHP versions? We'd still be in the dark ages in PHP 5.1 if this happened. It's a way if notifying people and getting then to update.

@C-Lodder Sorry, I cannot follow your argumentation. Nobody said, never display it.
I said, show a "post install message/after update message". Let the user be able to click that away in ONE click FOREVER.
In the time period of 90 days before the security support is dropped, show the message as it is now.
From my point of view it is enough to make the user/webmaster aware of what version should be used once or twice. That happens first with the system requirements that you see on the Joomla homepage. Second could be the post-install message. Third only when it's going to be close to the critical state. A little bit of responsibililty should be left to the user. And the ones that never listen, they deactivate the message anyway.
It's like every morning I come out there is a piece of paper on my windscreen, telling me: "there is only 6mm rubber left on your tyres, you have to change them when they are down to 2mm." My thought, yeah, but I can use them for another 2 years and I just bought them with 8mm, so why the heck is the JPolice putting that paper on my windscreen.
Worst thing, showing this PHP 5.6 message so early has an adverse effect. The user will ask the provider/hoster to change his PHP version, the provider will tell the user, it is still time and the Joomla guys are overdoing it. So by the time it get's important to show the message 95% will have deactivated that message anyway. Most of my customers have.
One shortend real conversation: What is that, is that a problem now? No, it will become a problem only once that date is reached and the PHP version does not get security updates anymore. Your hoster will have PHP 7.x by then. Ok, then switch it off, I don't wanna see it everytime.

You do realise you can.disable the message

On 12 May 2017 9:58 a.m., "Stefan Schumacher" notifications@github.com
wrote:

@C-Lodder https://github.com/c-lodder Sorry, I cannot follow your
argumentation. Nobody said, never display it.
I said, show a "post install message/after update message". Let the user be
able to click that away in ONE click FOREVER.
In the time period of 90 days before the security support is dropped, show
the message as it is now.
From my point of view it is enough to make the user/webmaster aware of what
version should be used once or twice. That happens first with the system
requirements that you see on the Joomla homepage. Second could be the
post-install message. Third only when it's going to be close to the
critical state. A little bit of responsibililty should be left to the user.
And the ones that never listen, they deactivate the message anyway.
It's like every morning I come out there is a piece of paper on my
windscreen, telling me: "there is only 6mm rubber left on your tyres, you
have to change them when they are down to 2mm." My thought, yeah, but I can
use them for another 2 years and I just bought them with 8mm, so why the
heck is the JPolice putting that paper on my windscreen.
Worst thing, showing this PHP 5.6 message so early has an adverse effect.
The user will ask the provider/hoster to change his PHP version, the
provider will tell the user, it is still time and the Joomla guys are
overdoing it. So by the time it get's important to show the message 95%
will have deactivated that message anyway. Most of my customers have.
One shortend real conversation: What is that, is that a problem now? No, it
will become a problem only once that date is reached and the PHP version
does not get security updates anymore. Your hoster will have PHP 7.x by
then. Ok, then switch it off, I don't wanna see it everytime.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#14571 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABPH8UBTXQ2NI8Tt5YSxzce7mZeqxhnpks5r5B9PgaJpZM4MbN_I
.

@brianteeman
"You do realise you can.disable the message"

That is exactly my point, people will deactivate it, because they say it is annoying and at the time it is needed, it will not be displayed anymore. So in this way it is doing just the opposite of what it should do.

It should: "Warn users at an appropriate time before the issue becomes critical."

@C-Lodder to show the update is one thing to automatically show it every day (every time over and over and over) until the update is made is a complete other thing. @brianteeman yes I know we can turn of the plugin on like 50 websites... great stuff. I hope we are still smart thinkers here who want to safe each other time.

My point and that of other being voiced is not that we should not have these notices, but to show them to the right people and at the right time, the right amount of times.

showing this PHP 5.6 message so early has an adverse effect

The logic is the same for all PHP branches. A warning that the branch is in security support mode only (generally the last 12 months of support) is displayed then an error when the version is no longer supported. PHP decided to extend support for the 5.6 branch. That causes it to display for a lot longer than the original design called for, which is unfortunate, but it isn't an opinionated message.

to show the update is one thing to automatically show it every day (every time over and over and over) until the update is made is a complete other thing

You do realize that this is how the other two update checks that show up on the control panel work, right? If you don't update Joomla, you keep getting the notification; if you don't update your extensions, you keep getting the notification. There is a third one now related to part of the server stack. All of those checks can be easily hidden by either applying the appropriate update(s) or turning off the notifications.

We will not remove this plugin from core. And we should not bring down the tone of the message to a point where it basically says "we hope you'll upgrade, but if you don't, no big deal". I have given guidance on what is or is not acceptable (basically don't mess with the array of support dates which is using the data from PHP itself, not some stuff we randomly drew out of a hat) for changes, anyone who wants to see a change is welcome to propose it. But I am not going to make changes because I feel it is important that users understand that maintaining a PHP based website is more than clicking the upgrade button in their application, they need to be aware of their server stack as well and PHP is a vital piece of that (which is why I proposed the plugin to begin with). Yes, this is a portion of their environment that many may not understand, and yes some will make the argument that PHP 5.3.10-1ubuntu3.26 is perfectly acceptable for use because Joomla supports it and a company has in essence forked that specific PHP release and backported selected bug fixes and security patches (and potentially introduced their own changes as well) under a claim of long term support, but facts are facts and the PHP project is not supporting that version anymore (it'd be the same if some company were doing long term support of Joomla! 2.5 after support for that ended; sure somebody is providing support but it sure isn't us).

Hi Michael,
I understand when you say, you want to keep the message as it is and that you want to keep the plugin.
I agree so far.

I want that plugin to be as effective as possible.

If you show it 19 month before eol, people will definitely switch it off for reasons I explained above.

If you change the trigger to show the message to eol minus 90 days, the plugin is doing just what you intend. Users get unrest, just 3 month left. The provider cannot say anymore: Relax, sooo much time.

So the effect will be much better.

So you can keep the array, just don't use the first value, only eol minus 90 days.

Your plugin will have a good impact three month before eol, 90% people will say, we need to do something, it is urgent.
The other way, the plugin will have been deactivated one year ago, and people get no notification.

It is not against your plugin, it's about getting the most out of it. :-)

I agree ( and I think nobody objected to that) that showing the notice two years in advance is to much. As Michael said, feel free to do a PR to change it so it displays 90 (or maybe 180) days in advance for the security notice.
It just needs someone to write that code.

I did a pull request. It is my first one, so try to keep that in mind when getting the light sabers out.

@StefanSTS You need to change the PR so it targets the Joomla staging branch. Currently it targets the staging branch in your fork ?
You should be able to edit the PR in GitHub and just a different target branch.

Guess I made a big mess, but the last pull request should have worked.
Sorry, I never really used GIT and I am not a programmer. Things will probably improve. ;-)

Yep, the new one looks better ?

I'm closing this issue since we have a PR to test.